diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
index 37ecc164f8b..0aa38dbf804 100644
--- a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
+++ b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
@@ -15,6 +15,7 @@ on:
        - 'Parsers/ASimRegistryEvent/Parsers/**'
        - 'Parsers/ASimUserManagement/Parsers/**'
        - 'Parsers/ASimDhcpEvent/Parsers/**'
+       - 'Parsers/ASimAlertEvent/Parsers/**'
 
 env:
   GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}"
diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml
index 9f716006edd..42ed83b6542 100644
--- a/.github/workflows/runAsimSchemaAndDataTesters.yaml
+++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml
@@ -17,6 +17,7 @@ on:
     - 'Parsers/ASimRegistryEvent/Parsers/**'
     - 'Parsers/ASimUserManagement/Parsers/**'
     - 'Parsers/ASimDhcpEvent/Parsers/**'
+    - 'Parsers/ASimAlertEvent/Parsers/**'
     
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
diff --git a/.script/dataConnectorValidator.ts b/.script/dataConnectorValidator.ts
index 7b5e1218674..be340c4cc62 100644
--- a/.script/dataConnectorValidator.ts
+++ b/.script/dataConnectorValidator.ts
@@ -26,7 +26,11 @@ export async function IsValidDataConnectorSchema(filePath: string): Promise<Exit
 
         /* Disabling temporarily till we get confirmation from PM*/
         // isValidFileName(filePath
-        isValidPermissions(jsonFile.permissions, connectorCategory);
+        /* Skip validation for Solution Microsoft Exchange Security - Exchange On-Premises Solution */
+        if (!filePath.includes('Microsoft Exchange Security - Exchange On-Premises')) 
+        {
+          isValidPermissions(jsonFile.permissions, connectorCategory);
+        }
       }
       else{
         console.warn(`Skipping File as it is of type Events : ${filePath}`)
@@ -173,4 +177,4 @@ let CheckOptions = {
   },
 };
 
-runCheckOverChangedFiles(CheckOptions, fileKinds, fileTypeSuffixes, filePathFolderPrefixes);
\ No newline at end of file
+runCheckOverChangedFiles(CheckOptions, fileKinds, fileTypeSuffixes, filePathFolderPrefixes);
diff --git a/.script/getModifiedASimSchemas.ps1 b/.script/getModifiedASimSchemas.ps1
index c2db14a067e..279d0801fc5 100644
--- a/.script/getModifiedASimSchemas.ps1
+++ b/.script/getModifiedASimSchemas.ps1
@@ -1,5 +1,5 @@
 function getModifiedAsimSchemas() {
-    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent")
+    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent","ASimAlertEvent")
     $modifiedSchemas = @()
     foreach ($schema in $schemas) {
         $filesThatWereChanged= Invoke-Expression "git diff origin/master  --name-only -- $($PSScriptRoot)/../Parsers/$($schema)/Parsers"
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/IntegrationTable_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/IntegrationTable_CL.json
new file mode 100644
index 00000000000..5a374ae0890
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/IntegrationTable_CL.json
@@ -0,0 +1,61 @@
+{
+    "Name": "IntegrationTable_CL",
+    "Properties": [
+        {
+          "name": "TimeGenerated",
+          "type": "datetime"
+        },
+        {
+          "name": "typeName",
+          "type": "string"
+        },
+        {
+          "name": "objectName",
+          "type": "string"
+        },
+        {
+          "name": "networkCommunication",
+          "type": "dynamic"
+        },
+        {
+          "name": "customUuid",
+          "type": "string"
+        },
+        {
+          "name": "objectTypeName",
+          "type": "string"
+        },
+        {
+          "name": "occurTime",
+          "type": "string"
+        },
+        {
+          "name": "displayName",
+          "type": "string"
+        },
+        {
+          "name": "responses",
+          "type": "dynamic"
+        },
+        {
+          "name": "objectHashSha1",
+          "type": "string"
+        },
+        {
+          "name": "severityLevel",
+          "type": "string"
+        },
+        {
+          "name": "category",
+          "type": "string"
+        },
+        {
+          "name": "objectUrl",
+          "type": "string"
+        },
+        {
+          "name": "context",
+          "type": "dynamic"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Tenable_VM_Compliance_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Tenable_VM_Compliance_CL.json
new file mode 100644
index 00000000000..5d2b5555c5e
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/Tenable_VM_Compliance_CL.json
@@ -0,0 +1,201 @@
+{
+  "Name":"Tenable_VM_Compliance_CL",
+  "Properties":[
+  {
+    "Name": "TenantId",
+    "Type": "string"
+  },
+  {
+    "Name": "SourceSystem",
+    "Type": "string"
+  },
+  {
+    "Name": "MG",
+    "Type": "string"
+  },
+  {
+    "Name": "ManagementGroupName",
+    "Type": "string"
+  },
+  {
+    "Name": "TimeGenerated",
+    "Type": "datetime"
+  },
+  {
+    "Name": "Computer",
+    "Type": "string"
+  },
+  {
+    "Name": "RawData",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_uuid_g",
+    "Type": "string"
+  },
+  {
+    "Name": "first_seen_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "last_seen_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "audit_file_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_info_s",
+    "Type": "string"
+  },
+  {
+    "Name": "expected_value_s",
+    "Type": "string"
+  },
+  {
+    "Name": "actual_value_s",
+    "Type": "string"
+  },
+  {
+    "Name": "status_s",
+    "Type": "string"
+  },
+  {
+    "Name": "reference_s",
+    "Type": "string"
+  },
+  {
+    "Name": "see_also_s",
+    "Type": "string"
+  },
+  {
+    "Name": "solution_s",
+    "Type": "string"
+  },
+  {
+    "Name": "plugin_id_d",
+    "Type": "real"
+  },
+  {
+    "Name": "state_s",
+    "Type": "string"
+  },
+  {
+    "Name": "description_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_benchmark_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_benchmark_version_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_control_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_full_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_functional_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_informational_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "synopsis_s",
+    "Type": "string"
+  },
+  {
+    "Name": "last_observed_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "metadata_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "uname_output_s",
+    "Type": "string"
+  },
+  {
+    "Name": "indexed_at_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "plugin_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_id_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_ipv4_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_ipv6_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_fqdns_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_agent_uuid_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_tags_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_mac_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_operating_systems_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_system_type_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_network_id_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_agent_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "Type",
+    "Type": "string"
+  },
+  {
+    "Name": "_ResourceId",
+    "Type": "string"
+  }
+]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
index 225d6a487ee..73983eb73a3 100644
--- a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
+++ b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
@@ -314,7 +314,7 @@ public void Validate_CommonFunctions_HaveValidKql(string fileName, string encode
         [ClassData(typeof(SolutionParsersYamlFilesTestData))]
         public void Validate_SolutionParsersFunctions_HaveValidKql(string fileName, string encodedFilePath)
         {
-            if (fileName == "NoFile.yaml")
+            if (fileName == "NoFile.yaml" || fileName == "ASIM_FillNull.yaml")
             {
                 Assert.True(true);
                 return;
diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
index 9bda2566a31..8ec3c249d4c 100644
--- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
+++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
@@ -2624,6 +2624,16 @@
     "templateName": "InfobloxSOCInsightsDataConnector_API.json",
     "validationFailReason": "The name 'insightId_g' does not refer to any known column, table, variable or function."
   },
+  {
+    "id": "ESI-Opt6ExchangeMessageTrackingLogs",
+    "templateName": "ESI-Opt6ExchangeMessageTrackingLogs.json",
+    "validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
+  },
+  {
+    "id": "ESI-Opt7ExchangeHTTPProxyLogs",
+    "templateName": "ESI-Opt7ExchangeHTTPProxyLogs.json",
+    "validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
+  },
   // Temporarily adding Data connector template id's for KQL Validations - End
 
 
@@ -2819,6 +2829,11 @@
     "templateName": "ExchangeConfiguration.yaml",
     "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
   },
+  {
+    "id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
+    "templateName": "MESCompareDataOnPMRA.yaml",
+    "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
+  },
   {
     "id": "1acab329-1c11-42a7-b5ea-41264947947a",
     "templateName": "ExchangeEnvironmentList.yaml",
diff --git a/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json b/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json
index 7b91baea4ee..1fb5f54cb75 100644
--- a/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json
+++ b/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json
@@ -28,6 +28,11 @@
     "id": "39f51672-8c63-4600-882a-5db8275f798f",
     "templateName": "Microsoft Exchange Security - MESCompareDataMRA parser",
     "validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
+  },
+  {
+    "id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
+    "templateName": "Microsoft Exchange Security - MESCompareDataOnPMRA parser",
+    "validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
   }
 ]
 
diff --git a/.script/tests/asimParsersTest/ASimFilteringTest.py b/.script/tests/asimParsersTest/ASimFilteringTest.py
index 08178d459bd..3845ee95596 100644
--- a/.script/tests/asimParsersTest/ASimFilteringTest.py
+++ b/.script/tests/asimParsersTest/ASimFilteringTest.py
@@ -43,6 +43,13 @@
 end_time = datetime.now(timezone.utc)
 start_time = end_time - timedelta(days = TIME_SPAN_IN_DAYS)
 
+# Define the dictionary mapping schemas to their respective messages
+failure_messages = {
+    'AuditEvent': "This single failure is because only one value exist in 'EventResult' field in 'AuditEvent' schema. Audit Event is a special case where 'EventResult' validations could be partial as only 'Success' events exists. Ignoring this error.",
+    'Authentication': "This single failure is because only two values exist in 'EventType' field in 'Authentication' schema. 'Authentication' is a special case where 'EventType' validations could be partial as only 'Logon' or 'Logoff' events may exists. Ignoring this error.",
+    'Dns': "This single failure is because only one value exist in 'EventType' field in 'Dns' schema. 'Dns' is a special case where 'EventType' validations could be 'Query' only. Ignoring this error."
+}
+
 def attempt_to_connect():
     try:
             credential = DefaultAzureCredential()
@@ -230,6 +237,20 @@ def read_exclusion_list_from_csv():
             exclusion_list.append(row[0])
     return exclusion_list
 
+# Function to handle printing and flushing
+def print_and_flush(message):
+    print(f"{YELLOW} {message} {RESET}")
+    sys.stdout.flush()
+
+# Function to handle error printing, flushing, and exiting
+def handle_test_failure(parser_file_path, error_message=None):
+    if error_message:
+        print(f"::error::{error_message}")
+    else:
+        print(f"::error::Tests failed for {parser_file_path}")
+    sys.stdout.flush()
+    sys.exit(1)  # Uncomment this line to fail workflow when tests are not successful.
+
 def main():
     # Get modified ASIM Parser files along with their status
     current_directory = os.path.dirname(os.path.abspath(__file__))
@@ -267,7 +288,7 @@ def main():
         else:
             SchemaName = None
         # Check if changed file is a union parser. If Yes, skip the file
-        if PARSER_FILE_NAME.endswith((f'ASim{SchemaName}.yaml', f'im{SchemaName}.yaml')):
+        if PARSER_FILE_NAME.endswith((f'ASim{SchemaName}.yaml', f'im{SchemaName}.yaml', f'vim{SchemaName}Empty.yaml')):
             continue
         parser_file_path = PARSER_FILE_NAME
         sys.stdout.flush()  # Explicitly flush stdout
@@ -288,29 +309,27 @@ def main():
                 if parser_file['EquivalentBuiltInParser'] in read_exclusion_list_from_csv():
                     print(f"{YELLOW}The parser {parser_file_path} is listed in the exclusions file. Therefore, this workflow run will not fail because of it. To allow this parser to cause the workflow to fail, please remove its name from the exclusions list file located at: {exclusion_file_path}{RESET}")
                     sys.stdout.flush()
-                # If Failure count is due to EventResult and EventSchema is AuditEvent, then ignore the failure. 
-                # Audit Event is a special case where 'EventResult' validations could be partial like only 'Success' events.
-                elif len(result.failures) == 1:
+                # Check for exception cases where the failure can be ignored
+                # Check if the failure message and schema match the exception cases
+                if len(result.failures) == 1:
                     failure_message = result.failures[0][1]
-                    if "eventresult - validations for this parameter are partial" in failure_message:
-                        if parser_file['Normalization']['Schema'] == 'AuditEvent':
-                            print(f"{YELLOW} This single failure is due to partial result in 'EventResult' field in 'AuditEvent' schema. Audit Event is a special case where 'EventResult' validations could be partial like only 'Success' events. Ignoring this error. {RESET}")
-                            sys.stdout.flush()
-                    elif "eventtype_in - Expected to have less results after filtering." in failure_message:
-                        if parser_file['Normalization']['Schema'] == 'Authentication':
-                            print(f"{YELLOW} This single failure is due to only two values in 'EventType' field in 'Authentication' schema. 'Authentication' is a special case where 'EventType' validations could be 'Logon' or 'Logoff' only. Ignoring this error. {RESET}")
-                            sys.stdout.flush()
-		    else:
-                        print(f"::error::Tests failed for {parser_file_path}")
-                        sys.stdout.flush()
-                        sys.exit(1) # uncomment this line to fail workflow when tests are not successful.
+                    schema = parser_file['Normalization']['Schema']
+                    match schema:
+                        case 'AuditEvent' if "eventresult - validations for this parameter are partial" in failure_message:
+                            print_and_flush(failure_messages['AuditEvent'])
+                        case 'Authentication' if "eventtype_in - Expected to have less results after filtering." in failure_message:
+                            print_and_flush(failure_messages['Authentication'])
+                        case 'Dns' if "eventtype - validations for this parameter are partial" in failure_message:
+                            print_and_flush(failure_messages['Dns'])
+                        case _:
+                            # Default case when single error and if no specific condition matches
+                            handle_test_failure(parser_file_path)
                 else:
-                    print(f"::error::Tests failed for {parser_file_path}")
-                    sys.stdout.flush()  # Explicitly flush stdout
-                    sys.exit(1) # uncomment this line to fail workflow when tests are not successful.
+                    # When more than one failures or no specific exception case
+                    handle_test_failure(parser_file_path)
             except subprocess.CalledProcessError as e:
-                print(f"::error::An error occurred while reading parser file: {e}")
-                sys.stdout.flush()  # Explicitly flush stdout
+                # Handle exceptions raised during the parser execution e.g. error in KQL query
+                handle_test_failure(parser_file_path, f"An error occurred while running parser: {e}")
 
 
 class FilteringTest(unittest.TestCase):
@@ -404,7 +423,7 @@ def check_required_fields(self, parser_file):
     def datetime_test(self, param, query_definition, column_name_in_table):
         param_name = param['Name']
         # Get count of rows without filtering
-        no_filter_query = query_definition + f"query()\n"
+        no_filter_query = query_definition + f"query() | project TimeGenerated \n"
         no_filter_response = self.send_query(no_filter_query)
         num_of_rows_when_no_filters_in_query = len(no_filter_response.tables[0].rows)
         self.assertNotEqual(len(no_filter_response.tables[0].rows) , 0 , f"No data for parameter:{param_name}")
@@ -824,6 +843,20 @@ def send_query(self, query_str):
         "targetappname_has_any" : "TargetAppName",
         "username_has_any" : "User"
     },
+    "AlertEvent" :
+    {
+        "disabled" : "",
+        "endtime" : "EventEndTime",
+        "starttime" : "EventStartTime",
+        "ipaddr_has_any_prefix" : "DvcIpAddr",
+        "hostname_has_any" : "DvcHostname",
+        "username_has_any" : "Username",
+        "attacktactics_has_any" : "AttackTactics",
+        "attacktechniques_has_any" : "AttackTechniques",
+        "threatcategory_has_any" : "ThreatCategory",
+        "alertverdict_has_any" : "AlertVerdict",
+        "eventseverity_has_any" : "EventSeverity",
+    },
     "DhcpEvent" :
     {
         "disabled" : "",
diff --git a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
index aa1fde1a5f8..7c9abb360b5 100644
--- a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
+++ b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
@@ -53,8 +53,8 @@ def run():
     for parser in parser_yaml_files:
         
         schema_name = extract_schema_name(parser)
-        if not schema_name or parser.endswith(f'ASim{schema_name}.yaml') or parser.endswith(f'im{schema_name}.yaml'):
-            print(f"{YELLOW}Skipping '{parser}' as this is a union parser file. Union parser files are not tested.{RESET}")
+        if parser.endswith((f'ASim{schema_name}.yaml', f'im{schema_name}.yaml', f'vim{schema_name}Empty.yaml')):
+            print(f"{YELLOW}Skipping '{parser}' as this is a union or empty parser file. This file won't be tested.{RESET}")
             continue
         # Skip vim parser file if the corresponding ASim parser file is not present
         elif parser.split('/')[-1].startswith('vim'):
diff --git a/.script/tests/asimParsersTest/ingestASimSampleData.py b/.script/tests/asimParsersTest/ingestASimSampleData.py
index 1f059ce9d6e..8de99b8aa1d 100644
--- a/.script/tests/asimParsersTest/ingestASimSampleData.py
+++ b/.script/tests/asimParsersTest/ingestASimSampleData.py
@@ -321,9 +321,9 @@ def convert_data_type(schema_result, data_result):
         SchemaName = SchemaNameMatch.group(1)
     else:
         SchemaName = None
-    # Check if changed file is a union parser. If Yes, skip the file
-    if file.endswith((f'ASim{SchemaName}.yaml', f'im{SchemaName}.yaml')):
-        print(f"Ignoring this {file} because it is a union parser file")
+    # Check if changed file is a union or empty parser. If Yes, skip the file
+    if file.endswith((f'ASim{SchemaName}.yaml', f'im{SchemaName}.yaml', f'vim{SchemaName}Empty.yaml')):
+        print(f"Ignoring this {file} because it is a union or empty parser file")
         continue        
     print(f"Starting ingestion for sample data present in {file}")
     asim_parser_url = f'{SENTINEL_REPO_RAW_URL}/{commit_number}/{file}'
@@ -399,6 +399,7 @@ def convert_data_type(schema_result, data_result):
         #create dcr for ingestion
         guid_columns = []
         schema = get_schema_for_builtin(table_name)
+        data_result = convert_data_type(schema, data_result)
         request_body, url_to_call , method_to_use ,stream_name = create_dcr(json.dumps(schema, indent=4),table_name,"Microsoft")
         response_body=hit_api(url_to_call,request_body,method_to_use)
         print(f"Response of DCR creation: {response_body.text}")
diff --git a/.script/tests/asimParsersTest/runAsimTesters.ps1 b/.script/tests/asimParsersTest/runAsimTesters.ps1
index c0884590713..d4aaf7f18bc 100644
--- a/.script/tests/asimParsersTest/runAsimTesters.ps1
+++ b/.script/tests/asimParsersTest/runAsimTesters.ps1
@@ -92,9 +92,9 @@ function testSchema([string] $ParserFile) {
         }
     }
     $Schema = (Split-Path -Path $ParserFile -Parent | Split-Path -Parent)
-    if ($parsersAsObject.Parsers) {
+    if ($parsersAsObject.Parsers -or ($parsersAsObject.ParserName -like "*Empty")){
         Write-Host "***************************************************"
-        Write-Host "${yellow}The parser '$functionName' is a union parser, ignoring it from 'Schema' and 'Data' testing.${reset}"
+        Write-Host "${yellow}The parser '$functionName' is a union or empty parser, ignoring it from 'Schema' and 'Data' testing.${reset}"
         Write-Host "***************************************************"
     } else {
         testParser ([Parser]::new($functionName, $parsersAsObject.ParserQuery, $Schema.Replace("Parsers/ASim", ""), $parsersAsObject.ParserParams))
@@ -115,7 +115,8 @@ function testParser([Parser] $parser) {
     
     Write-Host "***************************************************"
     Write-Host "${yellow}Running 'Data' tests for '$($parser.Name)' parser${reset}"
-    $dataTest = "$parserAsletStatement`r`n$letStatementName | invoke ASimDataTester('$($parser.Schema)')"
+    # Test with only last 30 minutes of data.
+    $dataTest = "$parserAsletStatement`r`n$letStatementName | where TimeGenerated >= ago(30min) | invoke ASimDataTester('$($parser.Schema)')"
     invokeAsimTester $dataTest $parser.Name "data"
     Write-Host "***************************************************"
 }
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index b6daf77a2af..4aabea936aa 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -116,13 +116,24 @@ AdditionalFields,dynamic,Optional,RegistryEvent,,,
 AdditionalFields,dynamic,Optional,UserManagement,,,
 AdditionalFields,dynamic,Optional,WebSession,,,
 AdditionalFields,dynamic,Optional,DhcpEvent,,,
+AdditionalFields,string,Optional,AlertEvent,,,
+Alertdescription,string,Alias,AlertEvent,,,EventMessage
+AlertId,string,Alias,AlertEvent,,,EventUid
+AlertName,string,Recommended,AlertEvent,,,
+AlertOriginalStatus,string,Optional,AlertEvent,,,
+AlertStatus,string,Recommended,AlertEvent,Enumerated,Active|Closed,
+AlertVerdict,string,Optional,AlertEvent,Enumerated,True Positive|False Positive|Benign Positive|Unknown,
 Application,string,Alias,AuditEvent,,,TargetAppName
 Application,string,Alias,Authentication,,,TargetAppName
 Application,string,Alias,FileEvent,,,TargetAppName
 ASimMatchingHostname,string,Recommended,NetworkSession,Enumerated,SrcHostname|DstHostname|Both|-,
 ASimMatchingIpAddr,string,Recommended,NetworkSession,Enumerated,SrcIpAddr|DstIpAddr|Both|-,
 ASimMatchingIpAddr,string,Recommended,WebSession,Enumerated,SrcIpAddr|DstIpAddr|Both|-,
+AttackRemediationSteps,string,Recommended,AlertEvent,,,
+AttackTactics,string,Recommended,AlertEvent,,,
+AttackTechniques,string,Recommended,AlertEvent,,,
 CommandLine,string,Alias,ProcessEvent,,,TargetProcessCommandLine
+DetectionMethod,string,Optional,AlertEvent,Enumerated,EDR|Behavioral Analytics|Reputation|Threat Intelligence|Intrusion Detection|Automated Investigation|Antivirus|Data Loss Prevention|User Defined Blocked List|Cloud Security Posture Management,
 DhcpCircuitId,string,Optional,DhcpEvent,,,
 DhcpLeaseDuration,int,Optional,DhcpEvent,,,
 DhcpSessionDuration,int,Optional,DhcpEvent,,,
@@ -279,6 +290,7 @@ DvcAction,string,Recommended,Authentication,,,
 DvcAction,string,Recommended,DhcpEvent,,,
 DvcAction,string,Recommended,FileEvent,,,
 DvcAction,string,Recommended,UserManagement,,,
+DvcAction,string,Optional,AlertEvent,,,
 DvcDescription,string,Optional,AuditEvent,,,
 DvcDescription,string,Optional,Authentication,,,
 DvcDescription,string,Optional,Common,,,
@@ -290,6 +302,7 @@ DvcDescription,string,Optional,ProcessEvent,,,
 DvcDescription,string,Optional,RegistryEvent,,,
 DvcDescription,string,Optional,UserManagement,,,
 DvcDescription,string,Optional,WebSession,,,
+DvcDescription,string,Optional,AlertEvent,,,
 DvcDomain,string,Recommended,AuditEvent,,,
 DvcDomain,string,Recommended,Authentication,Domain,,
 DvcDomain,string,Recommended,Common,Domain,,
@@ -300,6 +313,7 @@ DvcDomain,string,Recommended,NetworkSession,Domain,,
 DvcDomain,string,Recommended,ProcessEvent,Domain,,
 DvcDomain,string,Recommended,UserManagement,,,
 DvcDomain,string,Recommended,WebSession,Domain,,
+DvcDomain,string,Optional,AlertEvent,,,
 DvcDomainType,string,Conditional,AuditEvent,Enumerated,Windows|FQDN,DvcDomain
 DvcDomainType,string,Conditional,Authentication,Enumerated,Windows|FQDN|ResourceGroup,DvcDomain
 DvcDomainType,string,Conditional,Common,Enumerated,Windows|FQDN|ResourceGroup,DvcDomain
@@ -310,6 +324,7 @@ DvcDomainType,string,Conditional,NetworkSession,Enumerated,Windows|FQDN|Resource
 DvcDomainType,string,Conditional,WebSession,Enumerated,Windows|FQDN|ResourceGroup,DvcDomain
 DvcDomainType,string,Conditional,ProcessEvent,Enumerated,Windows|FQDN|ResourceGroup,DvcDomain
 DvcDomainType,string,Conditional,UserManagement,Enumerated,Windows|FQDN,DvcDomain
+DvcDomainType,string,Conditional,AlertEvent,Enumerated,Windows|FQDN,DvcDomain
 DvcFQDN,string,Optional,AuditEvent,,,
 DvcFQDN,string,Optional,Authentication,FQDN,,
 DvcFQDN,string,Optional,Common,FQDN,,
@@ -320,6 +335,7 @@ DvcFQDN,string,Optional,NetworkSession,FQDN,,
 DvcFQDN,string,Optional,ProcessEvent,FQDN,,
 DvcFQDN,string,Optional,WebSession,FQDN,,
 DvcFQDN,string,Recommended,UserManagement,,,
+DvcFQDN,string,Optional,AlertEvent,,,
 DvcHostname,string,Recommended,UserManagement,Hostname,,
 DvcHostname,string,Recommended,AuditEvent,Hostname,,
 DvcHostname,string,Recommended,Authentication,Hostname,,
@@ -331,6 +347,7 @@ DvcHostname,string,Recommended,NetworkSession,Hostname,,
 DvcHostname,string,Recommended,ProcessEvent,Hostname,,
 DvcHostname,string,Recommended,RegistryEvent,Hostname,,
 DvcHostname,string,Recommended,WebSession,Hostname,,
+DvcHostname,Recommended,Optional,AlertEvent,Hostname,,
 DvcId,string,Optional,AuditEvent,,,
 DvcId,string,Optional,Authentication,,,
 DvcId,string,Optional,Common,,,
@@ -342,6 +359,7 @@ DvcId,string,Optional,ProcessEvent,,,
 DvcId,string,Optional,RegistryEvent,,,
 DvcId,string,Optional,WebSession,,,
 DvcId,string,Recommended,UserManagement,,,
+DvcId,string,Recommended,AlertEvent,,,
 DvcIdType,string,Conditional,AuditEvent,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|Other,DvcId
 DvcIdType,string,Conditional,Authentication,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
 DvcIdType,string,Conditional,Common,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
@@ -352,6 +370,7 @@ DvcIdType,string,Conditional,NetworkSession,Enumerated,AzureResourceId|MDEid|MD4
 DvcIdType,string,Conditional,WebSession,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
 DvcIdType,string,Optional,ProcessEvent,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
 DvcIdType,string,Recommended,UserManagement,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
+DvcIdType,string,Conditional,AlertEvent,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
 DvcInboundInterface,string,Optional,NetworkSession,,,
 DvcInboundInterface,string,Optional,WebSession,,,
 DvcInterface,string,Optional,AuditEvent,,,
@@ -363,6 +382,7 @@ DvcInterface,string,Optional,FileEvent,,,
 DvcInterface,string,Optional,NetworkSession,,,
 DvcInterface,string,Optional,ProcessEvent,,,
 DvcInterface,string,Optional,UserManagement,,,
+DvcInterface,string,Optional,AlertEvent,,,
 DvcIpAddr,string,Recommended,AuditEvent,IP Address,,
 DvcIpAddr,string,Recommended,Authentication,IP Address,,
 DvcIpAddr,string,Recommended,Common,IP Address,,
@@ -372,8 +392,9 @@ DvcIpAddr,string,Recommended,FileEvent,IP Address,,
 DvcIpAddr,string,Recommended,NetworkSession,IP Address,,
 DvcIpAddr,string,Recommended,ProcessEvent,IP Address,,
 DvcIpAddr,string,Recommended,RegistryEvent,IP Address,,
-DvcIpAddr,string,Recommended,UserManagement,,,
+DvcIpAddr,string,Recommended,UserManagement,IP Address,,
 DvcIpAddr,string,Recommended,WebSession,IP Address,,
+DvcIpAddr,string,Recommended,AlertEvent,IP Address,,
 DvcMacAddr,string,Optional,UserManagement,MAC address,,
 DvcMacAddr,string,Optional,AuditEvent,MAC address,,
 DvcMacAddr,string,Optional,Authentication,MAC address,,
@@ -385,6 +406,7 @@ DvcMacAddr,string,Optional,NetworkSession,MAC address,,
 DvcMacAddr,string,Optional,ProcessEvent,MAC address,,
 DvcMacAddr,string,Optional,RegistryEvent,MAC address,,
 DvcMacAddr,string,Optional,WebSession,MAC address,,
+DvcMacAddr,string,Optional,AlertEvent,,,
 DvcOriginalAction,string,Optional,AuditEvent,,,
 DvcOriginalAction,string,Optional,Authentication,,,
 DvcOriginalAction,string,Optional,Common,,,
@@ -395,6 +417,7 @@ DvcOriginalAction,string,Optional,NetworkSession,,,
 DvcOriginalAction,string,Optional,ProcessEvent,,,
 DvcOriginalAction,string,Optional,UserManagement,,,
 DvcOriginalAction,string,Optional,WebSession,,,
+DvcOriginalAction,string,Optional,AlertEvent,,,
 DvcOs,string,Optional,AuditEvent,,,
 DvcOs,string,Optional,Authentication,,,
 DvcOs,string,Optional,Common,,,
@@ -405,6 +428,7 @@ DvcOs,string,Optional,NetworkSession,,,
 DvcOs,string,Optional,ProcessEvent,,,
 DvcOs,string,Optional,RegistryEvent,,,
 DvcOs,string,Optional,UserManagement,,,
+DvcOs,string,Optional,AlertEvent,,,
 DvcOsVersion,string,Optional,AuditEvent,,,
 DvcOsVersion,string,Optional,Authentication,,,
 DvcOsVersion,string,Optional,Common,,,
@@ -415,6 +439,7 @@ DvcOsVersion,string,Optional,NetworkSession,,,
 DvcOsVersion,string,Optional,ProcessEvent,,,
 DvcOsVersion,string,Optional,RegistryEvent,,,
 DvcOsVersion,string,Optional,UserManagement,,,
+DvcOsVersion,string,Optional,AlertEvent,,,
 DvcOutboundInterface,string,Optional,NetworkSession,,,
 DvcOutboundInterface,string,Optional,WebSession,,,
 DvcScope,string,Optional,AuditEvent,,,
@@ -428,6 +453,7 @@ DvcScope,string,Optional,RegistryEvent,,,
 DvcScope,string,Optional,UserManagement,,,
 DvcScope,string,Optional,WebSession,,,
 DvcScope,string,Optional,DhcpEvent,,,
+DvcScope,string,Optional,AlertEvent,,,
 DvcScopeId,string,Optional,AuditEvent,,,
 DvcScopeId,string,Optional,Authentication,,,
 DvcScopeId,string,Optional,Common,,,
@@ -439,6 +465,7 @@ DvcScopeId,string,Optional,ProcessEvent,,,
 DvcScopeId,string,Optional,RegistryEvent,,,
 DvcScopeId,string,Optional,UserManagement,,,
 DvcScopeId,string,Optional,WebSession,,,
+DvcScopeId,string,Optional,AlertEvent,,,
 DvcZone,string,Optional,AuditEvent,,,
 DvcZone,string,Optional,Authentication,,,
 DvcZone,string,Optional,Common,,,
@@ -449,6 +476,9 @@ DvcZone,string,Optional,NetworkSession,,,
 DvcZone,string,Optional,ProcessEvent,,,
 DvcZone,string,Optional,UserManagement,,,
 DvcZone,string,Optional,WebSession,,,
+DvcZone,string,Optional,AlertEvent,,,
+EmailMessageId,string,Optional,AlertEvent,,,
+EmailSubject,string,Optional,AlertEvent,,,
 EventCount,int,Mandatory,Authentication,,,
 EventCount,int,Mandatory,Common,,,
 EventCount,int,Mandatory,DhcpEvent,,,
@@ -460,6 +490,7 @@ EventCount,int,Mandatory,UserManagement,,,
 EventCount,int,Mandatory,WebSession,,,
 EventCount,int,Mandatory,AuditEvent,,,
 EventCount,int,Mandatory,FileEvent,,,
+EventCount,int,Mandatory,AlertEvent,,,
 EventEndTime,datetime,Mandatory,AuditEvent,,,
 EventEndTime,datetime,Mandatory,Authentication,,,
 EventEndTime,datetime,Mandatory,Common,,,
@@ -471,6 +502,7 @@ EventEndTime,datetime,Mandatory,ProcessEvent,,,
 EventEndTime,datetime,Mandatory,RegistryEvent,,,
 EventEndTime,datetime,Mandatory,UserManagement,,,
 EventEndTime,datetime,Mandatory,WebSession,,,
+EventEndTime,datetime,Mandatory,AlertEvent,,,
 EventMessage,string,Optional,AuditEvent,,,
 EventMessage,string,Optional,Authentication,,,
 EventMessage,string,Optional,Common,,,
@@ -482,6 +514,7 @@ EventMessage,string,Optional,ProcessEvent,,,
 EventMessage,string,Optional,RegistryEvent,,,
 EventMessage,string,Optional,UserManagement,,,
 EventMessage,string,Optional,WebSession,,,
+EventMessage,string,Optional,AlertEvent,,,
 EventOriginalResultDetails,string,Optional,AuditEvent,,,
 EventOriginalResultDetails,string,Optional,Authentication,,,
 EventOriginalResultDetails,string,Optional,Common,,,
@@ -503,6 +536,7 @@ EventOriginalSeverity,string,Optional,ProcessEvent,,,
 EventOriginalSeverity,string,Optional,RegistryEvent,,,
 EventOriginalSeverity,string,Optional,UserManagement,,,
 EventOriginalSeverity,string,Optional,WebSession,,,
+EventOriginalSeverity,string,Optional,AlertEvent,,,
 EventOriginalSubType,string,Optional,AuditEvent,,,
 EventOriginalSubType,string,Optional,Authentication,,,
 EventOriginalSubType,string,Optional,Common,,,
@@ -514,6 +548,7 @@ EventOriginalSubType,string,Optional,ProcessEvent,,,
 EventOriginalSubType,string,Optional,RegistryEvent,,,
 EventOriginalSubType,string,Optional,UserManagement,,,
 EventOriginalSubType,string,Optional,WebSession,,,
+EventOriginalSubType,string,Optional,AlertEvent,,,
 EventOriginalType,string,Optional,AuditEvent,,,
 EventOriginalType,string,Optional,Authentication,,,
 EventOriginalType,string,Optional,Common,,,
@@ -525,6 +560,7 @@ EventOriginalType,string,Optional,ProcessEvent,,,
 EventOriginalType,string,Optional,RegistryEvent,,,
 EventOriginalType,string,Optional,UserManagement,,,
 EventOriginalType,string,Optional,WebSession,,,
+EventOriginalType,string,Optional,AlertEvent,,,
 EventOriginalUid,string,Optional,AuditEvent,,,
 EventOriginalUid,string,Optional,Authentication,,,
 EventOriginalUid,string,Optional,Common,,,
@@ -536,6 +572,7 @@ EventOriginalUid,string,Optional,ProcessEvent,,,
 EventOriginalUid,string,Optional,RegistryEvent,,,
 EventOriginalUid,string,Optional,UserManagement,,,
 EventOriginalUid,string,Optional,WebSession,,,
+EventOriginalUid,string,Optional,AlertEvent,,,
 EventOwner,string,Optional,AuditEvent,,,
 EventOwner,string,Optional,Authentication,,,
 EventOwner,string,Optional,Common,,,
@@ -547,6 +584,7 @@ EventOwner,string,Optional,ProcessEvent,,,
 EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
+EventOwner,string,Optional,AlertEvent,,,
 EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace|Core,
 EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne|Core,
 EventProduct,string,Mandatory,Common,,,
@@ -558,6 +596,7 @@ EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM|NetScaler|Firepower|Cortex Data Lake|Firewall,
 EventProduct,string,Mandatory,UserManagement,Enumerated,Security Events|Authpriv|ISE|SentinelOne,
+EventProduct,string,Mandatory,AlertEvent,Enumerated,Defender XDR|Singularity,
 EventProductVersion,string,Optional,AuditEvent,,,
 EventProductVersion,string,Optional,Authentication,,,
 EventProductVersion,string,Optional,Common,,,
@@ -569,6 +608,7 @@ EventProductVersion,string,Optional,ProcessEvent,,,
 EventProductVersion,string,Optional,RegistryEvent,,,
 EventProductVersion,string,Optional,UserManagement,,,
 EventProductVersion,string,Optional,WebSession,,,
+EventProductVersion,string,Optional,AlertEvent,,,
 EventReportUrl,string,Optional,AuditEvent,URL,,
 EventReportUrl,string,Optional,Authentication,URL,,
 EventReportUrl,string,Optional,Common,URL,,
@@ -580,6 +620,7 @@ EventReportUrl,string,Optional,ProcessEvent,URL,,
 EventReportUrl,string,Optional,RegistryEvent,URL,,
 EventReportUrl,string,Optional,UserManagement,,,
 EventReportUrl,string,Optional,WebSession,URL,,
+EventReportUrl,string,Optional,AlertEvent,,,
 EventResult,string,Mandatory,AuditEvent,Enumerated,Success|Failure|Partial|NA,
 EventResult,string,Mandatory,Authentication,Enumerated,Success|Failure|Partial|NA,
 EventResult,string,Mandatory,Common,Enumerated,Success|Partial|Failure|NA,
@@ -591,6 +632,7 @@ EventResult,string,Mandatory,ProcessEvent,Enumerated,Success|Failure|Partial|NA,
 EventResult,string,Mandatory,RegistryEvent,Enumerated,Success|Failure|Partial|NA,
 EventResult,string,Mandatory,UserManagement,Enumerated,Success|Partial|Failure|NA,
 EventResult,string,Mandatory,WebSession,Enumerated,Success|Partial|Failure|NA,
+EventResult,string,Optional,AlertEvent,,,
 EventResultDetails,string,Mandatory,Dns,Enumerated,,
 EventResultDetails,string,Optional,FileEvent,,,
 EventResultDetails,string,Optional,ProcessEvent,,,
@@ -612,6 +654,7 @@ EventSchema,string,Mandatory,UserManagement,Enumerated,UserManagement,
 EventSchema,string,Mandatory,WebSession,Enumerated,WebSession,
 EventSchema,string,Recommended,ProcessEvent,,ProcessEvent,
 EventSchema,string,Mandatory,RegistryEvent,,RegistryEvent,
+EventSchema,string,Mandatory,AlertEvent,Enumerated,AlertEvent,
 EventSchemaVersion,string,Mandatory,AuditEvent,SchemaVersion,,
 EventSchemaVersion,string,Mandatory,Authentication,SchemaVersion,,
 EventSchemaVersion,string,Mandatory,Common,SchemaVersion,,
@@ -623,6 +666,7 @@ EventSchemaVersion,string,Mandatory,ProcessEvent,SchemaVersion,,
 EventSchemaVersion,string,Mandatory,RegistryEvent,SchemaVersion,,
 EventSchemaVersion,string,Mandatory,UserManagement,SchemaVersion,,
 EventSchemaVersion,string,Mandatory,WebSession,SchemaVersion,,
+EventSchemaVersion,string,Mandatory,AlertEvent,Enumerated,0.1,
 EventSeverity,string,Mandatory,Common,Enumerated,Informational|Low|Medium|High,
 EventSeverity,string,Mandatory,UserManagement,Enumerated,Informational|Low|Medium|High,
 EventSeverity,string,Mandatory,WebSession,Enumerated,Informational|Low|Medium|High,
@@ -634,6 +678,7 @@ EventSeverity,string,Recommended,Authentication,Enumerated,Informational|Low|Med
 EventSeverity,string,Recommended,DhcpEvent,Enumerated,Informational|Low|Medium|High,
 EventSeverity,string,Recommended,FileEvent,Enumerated,Informational|Low|Medium|High,
 EventSeverity,string,Recommended,NetworkSession,Enumerated,Informational|Low|Medium|High,
+EventSeverity,string,Recommended,AlertEvent,Enumerated,High|Medium|Low|Informational,
 EventStartTime,datetime,Mandatory,AuditEvent,,,
 EventStartTime,datetime,Mandatory,Authentication,,,
 EventStartTime,datetime,Mandatory,Common,,,
@@ -645,6 +690,7 @@ EventStartTime,datetime,Mandatory,ProcessEvent,,,
 EventStartTime,datetime,Mandatory,RegistryEvent,,,
 EventStartTime,datetime,Mandatory,UserManagement,,,
 EventStartTime,datetime,Mandatory,WebSession,,,
+EventStartTime,datetime,Mandatory,AlertEvent,,,
 EventSubType,string,Optional,AuditEvent,,,
 EventSubType,string,Optional,Authentication,Enumerated,System|Interactive|RemoteInteractive|Service|RemoteService|Remote|AssumeRole,
 EventSubType,string,Optional,Common,,,
@@ -655,6 +701,7 @@ EventSubType,string,Optional,NetworkSession,Enumerated,Start|End|,
 EventSubType,string,Optional,ProcessEvent,,,
 EventSubType,string,Optional,UserManagement,Enumerated,UserRead|UserCreated|GroupCreated|UserModified|GroupModified|password|shell|GID|expiration|UID,
 EventSubType,string,Optional,WebSession,,,
+EventSubType,string,Recommended,AlertEvent,Enumerated,Threat|Suspicious Activity|Policy Violation|Anomaly|Compliance Violation| Vulnerability,
 EventType,string,Mandatory,AuditEvent,Enumerated,Set|Read|Create|Delete|Execute|Install|Clear|Enable|Disable|Initialize|Start|Stop|Terminate|Execute|Other,
 EventType,string,Mandatory,Authentication,Enumerated,Logon|Logoff|Elevate,
 EventType,string,Mandatory,Common,,,
@@ -666,6 +713,7 @@ EventType,string,Mandatory,ProcessEvent,Enumerated,ProcessCreated|ProcessTermina
 EventType,string,Mandatory,RegistryEvent,Enumerated,RegistryKeyCreated|RegistryKeyDeleted|RegistryKeyRenamed|RegistryValueDeleted|RegistryValueSet,
 EventType,string,Mandatory,UserManagement,Enumerated,UserCreated|UserDeleted|UserModified|UserLocked|UserUnlocked|UserDisabled|UserEnabled|PasswordChanged|PasswordReset|GroupCreated|GroupDeleted|GroupModified|UserAddedToGroup|UserRemovedFromGroup|GroupEnumerated|UserRead|GroupRead,
 EventType,string,Mandatory,WebSession,Enumerated,HTTPsession|WebServerSession|ApiRequest,
+EventType,string,Mandatory,AlertEvent,Enumerated,Alert,
 EventUid,string,Recommended,AuditEvent,,,
 EventUid,string,Recommended,Authentication,,,
 EventUid,string,Recommended,Common,,,
@@ -677,6 +725,7 @@ EventUid,string,Recommended,ProcessEvent,,,
 EventUid,string,Recommended,RegistryEvent,,,
 EventUid,string,Recommended,UserManagement,,,
 EventUid,string,Recommended,WebSession,,,
+EventUid,string,Mandatory,AlertEvent,,,
 EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google|Illumio,
 EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox|Illumio,
 EventVendor,string,Mandatory,Common,,,
@@ -688,15 +737,22 @@ EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMwar
 EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5|SonicWall,
 EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,
 EventVendor,string,Mandatory,RegistryEvent,Enumerated,Microsoft|SentinelOne|VMware|Trend Micro,
+EventVendor,string,Mandatory,AlertEvent,Enumerated,Microsoft|SentinelOne,
 FileContentType,string,Optional,WebSession,Enumerated,,
 FileMD5,string,Optional,WebSession,MD5,,
+FileMD5,string,Optional,AlertEvent,,,
 FileName,string,Alias,FileEvent,,,TargetFileName
 FileName,string,Optional,WebSession,,,
+FileName,string,Optional,AlertEvent,,,
 FilePath,string,Alias,FileEvent,,,TargetFilePath
+FilePath,string,Optional,AlertEvent,,,
 FileSHA1,string,Optional,WebSession,SHA1,,
+FileSHA1,string,Optional,AlertEvent,,,
 FileSHA256,string,Optional,WebSession,SHA256,,
+FileSHA256,string,Optional,AlertEvent,,,
 FileSHA512,string,Optional,WebSession,SHA512,,
 FileSize,long,Optional,WebSession,,,
+FileSize,long,Optional,AlertEvent,,,
 GroupId,string,Optional,UserManagement,,,
 GroupIdType,string,Optional,UserManagement,Enumerated,SID|UID,
 GroupName,string,Optional,UserManagement,,,
@@ -714,6 +770,7 @@ Hostname,string,Alias,Dns,Hostname,,SrcHostname
 Hostname,string,Alias,NetworkSession,Hostname,,DstHostname
 Hostname,string,Alias,UserManagement,Hostname,,DvcHostname
 Hostname,string,Alias,WebSession,Hostname,,DstHostname
+Hostname,string,Alias,AlertEvent,,,DvcHostname
 HttpContentFormat,string,Optional,WebSession,,,
 HttpContentType,string,Optional,WebSession,,,
 HttpCookie,string,Optional,WebSession,,,
@@ -738,6 +795,8 @@ HttpUserAgent,string,Optional,FileEvent,Agent,,
 HttpUserAgent,string,Optional,UserManagement,,,
 HttpUserAgent,string,Optional,WebSession,Useragent,,
 HttpVersion,string,Optional,WebSession,,,
+IndicatorAssociation,string,Optional,AlertEvent,Enumerated,Associated|Targeted,
+IndicatorType,string,Recommended,AlertEvent,Enumerated,Ip|User|Url|Process|Registry|Host|Cloud Resource|Application|File|Email|Mailbox|Logon Session,
 InnerVlanId,string,Alias,NetworkSession,,,SrcVlanId
 InnerVlanId,string,Alias,WebSession,,,SrcVlanId
 IpAddr,string,Alias,UserManagement,IP address,,SrcIpAddr
@@ -748,6 +807,7 @@ IpAddr,string,Alias,Dns,IP Address,,SrcIpAddr
 IpAddr,string,Alias,FileEvent,IP Address,,SrcIpAddr
 IpAddr,string,Alias,NetworkSession,IP Address,,SrcIpAddr
 IpAddr,string,Alias,WebSession,IP Address,,SrcIpAddr
+IpAddr ,string,Alias,AlertEvent,,,DvcIpAddr
 LogonMethod,string,Optional,Authentication,,,
 LogonProtocol,string,Optional,Authentication,,,
 LogonTarget,string,Optional,Authentication,,,
@@ -786,6 +846,7 @@ ObjectType,string,Related,AuditEvent,Enumerated,Configuration Atom|Policy Rule|E
 OldValue,string,Optional,AuditEvent,,,
 Operation,string,Mandatory,AuditEvent,,,
 OriginalObjectType,string,Optional,AuditEvent,,,
+OriginalUserType,string,Optional,AlertEvent,,,
 OuterVlanId,string,Alias,NetworkSession,,,DstVlanId
 OuterVlanId,string,Alias,WebSession,,,DstVlanId
 ParentProcessCreationTime,datetime,Optional,ProcessEvent,,,
@@ -814,24 +875,34 @@ Process,string,Alias,Dns,,,SrcProcessName
 Process,string,Alias,FileEvent,,,ActingProcessName
 Process,string,Alias,ProcessEvent,,,TargetProcessName
 Process,string,Alias,RegistryEvent,,,ActingProcessName
+ProcessCommandLine,string,Optional,AlertEvent,,,
+ProcessFileCompany,string,Optional,AlertEvent,,,
+ProcessId,string,Optional,AlertEvent,,,
+ProcessName,string,Optional,AlertEvent,,,
 RegistryKey,string,Mandatory,RegistryEvent,,,
+RegistryKey,string,Optional,AlertEvent,,,
 RegistryPreviousKey,string,Recommended,RegistryEvent,,,
 RegistryPreviousValue,string,Recommended,RegistryEvent,,,
 RegistryPreviousValueData,string,Recommended,RegistryEvent,,,
 RegistryPreviousValueType,string,Recommended,RegistryEvent,,,
 RegistryValue,string,Recommended,RegistryEvent,,,
+RegistryValue,string,Optional,AlertEvent,,,
 RegistryValueData,string,Recommended,RegistryEvent,,,
+RegistryValueData,string,Optional,AlertEvent,,,
 RegistryValueType,string,Recommended,RegistryEvent,,,
+RegistryValueType,string,Optional,AlertEvent,Enumerated,Reg_Expand_Sz,
 RequestedIpAddr,string,Optional,DhcpEvent,IP Address,,
-Rule,string,Optional,AuditEvent,,,
-Rule,string,Optional,Authentication,,,
-Rule,string,Optional,Dns,,,
-Rule,string,Optional,FileEvent,,,
-Rule,string,Optional,NetworkSession,,,
-Rule,string,Optional,WebSession,,,
+Rule,string,Alias,AuditEvent,,,RuleName
+Rule,string,Alias,Authentication,,,RuleName
+Rule,string,Alias,Dns,,,RuleName
+Rule,string,Alias,FileEvent,,,RuleName
+Rule,string,Alias,NetworkSession,,,RuleName
+Rule,string,Alias,WebSession,,,RuleName
 Rule,string,Alias,RegistryEvent,,,RuleName
 Rule,string,Alias,UserManagement,,,RuleName
 Rule,string,Alias,DhcpEvent,,,RuleName
+Rule,string,Alias,AlertEvent,,,RuleName
+RuleDescription,string,Optional,AlertEvent,,,
 RuleName,string,Optional,AuditEvent,,,
 RuleName,string,Optional,Authentication,,,
 RuleName,string,Optional,Dns,,,
@@ -841,6 +912,7 @@ RuleName,string,Optional,ProcessEvent,,,
 RuleName,string,Optional,RegistryEvent,,,
 RuleName,string,Optional,UserManagement,,,
 RuleName,string,Optional,DhcpEvent,,,
+RuleName,string,Optional,AlertEvent,,,
 RuleNumber,int,Optional,AuditEvent,,,
 RuleNumber,int,Optional,Authentication,,,
 RuleNumber,int,Optional,Dns,,,
@@ -850,10 +922,12 @@ RuleNumber,int,Optional,ProcessEvent,,,
 RuleNumber,int,Optional,RegistryEvent,,,
 RuleNumber,int,Optional,UserManagement,,,
 RuleNumber,int,Optional,DhcpEvent,,,
+RuleNumber,int,Optional,AlertEvent,,,
 SessionId,string,Alias,DhcpEvent,,,DhcpSessionId
 SessionId,string,Alias,Dns,,,DnsSessionId
 SessionId,string,Alias,NetworkSession,,,NetworkSessionId
 SessionId,string,Alias,WebSession,,,NetworkSessionId
+SessionId,string,Optional,AlertEvent,,,
 Src,string,Mandatory,Dns,,,
 Src,string,Optional,FileEvent,IP Address,,
 Src,string,Recommended,AuditEvent,,,
@@ -1228,6 +1302,7 @@ ThreatCategory,string,Optional,ProcessEvent,,,
 ThreatCategory,string,Optional,RegistryEvent,,,
 ThreatCategory,string,Optional,UserManagement,,,
 ThreatCategory,string,Optional,DhcpEvent,,,
+ThreatCategory,string,Recommended,AlertEvent,Enumerated,Malware|Ransomeware|Trojan|Virus|Worm|Worm|Adware|Spyware|Rootkit|Cryptominer|Phishing|Spam|MaliciousUrl|Spoofing|Security Policy Violation|Unknown,
 ThreatConfidence,int,Optional,AuditEvent,ConfidenceLevel,,
 ThreatConfidence,int,Optional,Authentication,ConfidenceLevel,,
 ThreatConfidence,int,Optional,Dns,ConfidenceLevel,,
@@ -1238,6 +1313,7 @@ ThreatConfidence,int,Optional,ProcessEvent,,,
 ThreatConfidence,int,Optional,RegistryEvent,,,
 ThreatConfidence,int,Optional,UserManagement,,,
 ThreatConfidence,int,Optional,DhcpEvent,,,
+ThreatConfidence,int,Optional,AlertEvent,,,
 ThreatField,string,Conditional,AuditEvent,Enumerated,,ThreatIpAddr
 ThreatField,string,Conditional,FileEvent,Enumerated,,ThreatFilePath
 ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr
@@ -1259,6 +1335,7 @@ ThreatFirstReportedTime,datetime,Optional,ProcessEvent,,,
 ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,,
 ThreatFirstReportedTime,datetime,Optional,UserManagement,,,
 ThreatFirstReportedTime,datetime,Optional,DhcpEvent,,,
+ThreatFirstReportedTime,datetime,Optional,AlertEvent,,,
 ThreatId,string,Optional,AuditEvent,,,
 ThreatId,string,Optional,Authentication,,,
 ThreatId,string,Optional,Dns,,,
@@ -1269,6 +1346,7 @@ ThreatId,string,Optional,ProcessEvent,,,
 ThreatId,string,Optional,RegistryEvent,,,
 ThreatId,string,Optional,UserManagement,,,
 ThreatId,string,Optional,DhcpEvent,,,
+ThreatId,string,Optional,AlertEvent,,,
 ThreatIpAddr,string,Optional,AuditEvent,IP Address,,
 ThreatIpAddr,string,Optional,Authentication,IP Address,,
 ThreatIpAddr,string,Optional,Dns,IP Address,,
@@ -1284,6 +1362,7 @@ ThreatIsActive,bool,Optional,ProcessEvent,,,
 ThreatIsActive,bool,Optional,RegistryEvent,,,
 ThreatIsActive,bool,Optional,UserManagement,,,
 ThreatIsActive,bool,Optional,DhcpEvent,,,
+ThreatIsActive,bool,Optional,AlertEvent,Enumerated,True|False,
 ThreatLastReportedTime,datetime,Optional,AuditEvent,,,
 ThreatLastReportedTime,datetime,Optional,Authentication,,,
 ThreatLastReportedTime,datetime,Optional,Dns,,,
@@ -1294,6 +1373,7 @@ ThreatLastReportedTime,datetime,Optional,ProcessEvent,,,
 ThreatLastReportedTime,datetime,Optional,RegistryEvent,,,
 ThreatLastReportedTime,datetime,Optional,UserManagement,,,
 ThreatLastReportedTime,datetime,Optional,DhcpEvent,,,
+ThreatLastReportedTime,datetime,Optional,AlertEvent,,,
 ThreatName,string,Optional,AuditEvent,,,
 ThreatName,string,Optional,Authentication,,,
 ThreatName,string,Optional,Dns,,,
@@ -1304,6 +1384,8 @@ ThreatName,string,Optional,ProcessEvent,,,
 ThreatName,string,Optional,RegistryEvent,,,
 ThreatName,string,Optional,UserManagement,,,
 ThreatName,string,Optional,DhcpEvent,,,
+ThreatName,string,Optional,AlertEvent,,,
+ThreatOriginalCategory,string,Optional,AlertEvent,,,
 ThreatOriginalConfidence,string,Optional,AuditEvent,,,
 ThreatOriginalConfidence,string,Optional,Authentication,,,
 ThreatOriginalConfidence,string,Optional,Dns,,,
@@ -1314,6 +1396,7 @@ ThreatOriginalConfidence,string,Optional,ProcessEvent,,,
 ThreatOriginalConfidence,string,Optional,RegistryEvent,,,
 ThreatOriginalConfidence,string,Optional,UserManagement,,,
 ThreatOriginalConfidence,string,Optional,DhcpEvent,,,
+ThreatOriginalConfidence,string,Optional,AlertEvent,,,
 ThreatOriginalRiskLevel,string,Optional,AuditEvent,,,
 ThreatOriginalRiskLevel,string,Optional,Authentication,,,
 ThreatOriginalRiskLevel,string,Optional,Dns,,,
@@ -1324,6 +1407,7 @@ ThreatOriginalRiskLevel,string,Optional,ProcessEvent,,,
 ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,,
 ThreatOriginalRiskLevel,string,Optional,UserManagement,,,
 ThreatOriginalRiskLevel,string,Optional,DhcpEvent,,,
+ThreatOriginalRiskLevel,string,Optional,AlertEvent,,,
 ThreatRiskLevel,int,Optional,AuditEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,Authentication,RiskLevel,,
 ThreatRiskLevel,int,Optional,Dns,RiskLevel,,
@@ -1334,6 +1418,7 @@ ThreatRiskLevel,int,Optional,ProcessEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,RegistryEvent,,,
 ThreatRiskLevel,int,Optional,UserManagement,,,
 ThreatRiskLevel,int,Optional,DhcpEvent,,,
+ThreatRiskLevel,int,Optional,AlertEvent,,,
 TimeGenerated,datetime,Mandatory,AuditEvent,,,
 TimeGenerated,datetime,Mandatory,Authentication,,,
 TimeGenerated,datetime,Mandatory,Common,,,
@@ -1359,6 +1444,7 @@ Type,string,Mandatory,WebSession,,,
 UpdatedPropertyName,string,Alias,UserManagement,,,EventSubType
 Url,string,Alias,FileEvent,URL,,TargetUrl
 Url,string,Optional,WebSession,URL,,
+Url,string,Optional,AlertEvent,,,
 UrlCategory,string,Optional,Dns,,,
 UrlCategory,string,Optional,WebSession,,,
 UrlOriginal,string,Optional,WebSession,URL,,
@@ -1371,7 +1457,16 @@ User,string,Alias,RegistryEvent,Username,,ActorUsername
 User,string,Alias,UserManagement,Username,,ActorUsername
 User,string,Alias,WebSession,Username,,SrcUsername
 User,string,Optional,Authentication,Username,,
+User,string,Alias,AlertEvent,,,Username
 UserAgent,string,Alias,WebSession,Useragent,,HttpUserAgent
+UserId,string,Optional,AlertEvent,,,
+UserIdType,string,Conditional,AlertEvent,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,UserId
 Username,string,Alias,DhcpEvent,,,SrcUsername
+Username,string,Recommended,AlertEvent,,,
+UsernameType,string,Conditional,AlertEvent,Enumerated,UPN|Windows|DN|Simple,Username
+UserScopeId,string,Optional,AlertEvent,,,
+UserSessionId,string,Optional,AlertEvent,,,
+UserType,string,Optional,AlertEvent,Enumerated,Regular|Machine|Admin|System|Application|Service Principal|Other,
 Value,string,Alias,AuditEvent,,,NewValue
 ValueType,string,Optional,AuditEvent,Enumerated,Other,
+UserScope,string,Optional,AlertEvent,,,
diff --git a/ASIM/dev/Parser YAML templates/ASimAlertEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAlertEventTemplate.yaml
new file mode 100644
index 00000000000..d5f96798b19
--- /dev/null
+++ b/ASIM/dev/Parser YAML templates/ASimAlertEventTemplate.yaml	
@@ -0,0 +1,30 @@
+Parser:
+  Title: Alert event ASIM parser for <product name>
+  Version: '0.1.0'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: AlertEvent
+  Version: '<current schema version>'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the <product name> logs to the ASIM 'Alert' normalized schema.
+ParserName: <ASimAlertEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_AlertEvent_Vendor+Product>
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    disabled:bool = false
+  )
+  {
+    <parser query body>
+  };
+  parser (disabled = disabled)
diff --git a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml
index 2f8ec699ed3..35e359b4374 100644
--- a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Audit Event parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM Audit Event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_AuditEvent_Product>
+ParserName: <ASimAuditEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_AuditEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml
index 44a226ee176..8e0f5393134 100644
--- a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Authentication parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM Authentication normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_Authentication_Product>
+ParserName: <ASimAuthenticationVendor+Product>
+EquivalentBuiltInParser: <_ASim_Authentication_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml
index 9701611d7d3..e6d0f702dbf 100644
--- a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml	
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Dhcp normalized schema.
-ParserName: <ASimDhcpEventProduct>
-EquivalentBuiltInParser: <_ASim_DhcpEvent_Product>
+ParserName: <ASimDhcpEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_DhcpEvent_Vendor+Product
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml
index c0ce303cec3..4b528a04936 100644
--- a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: DNS activity ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM DNS activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_Dns_Product>
+ParserName: <ASimDnsVendor+Product>
+EquivalentBuiltInParser: <_ASim_Dns_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml
index 9b60011a994..feb51701aec 100644
--- a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: File events ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM file activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_FileEvent_Product>
+ParserName: <ASimFileEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_FileEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml
index 516be25e466..9d13fe70153 100644
--- a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Network Session ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Network Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_NetworkSession_Product>
+ParserName: <ASimNetworkSessionVendor+Product>
+EquivalentBuiltInParser: <_ASim_NetworkSession_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml
index 5fb4ab297c6..4d323e6cc4b 100644
--- a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Process event ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ references:
   Link: https:/aka.ms/AboutASIM
 Description:
   This ASIM parser supports normalizing the <product name> logs to the ASIM process event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_ProcessEvent_Product>
+ParserName: <ASimProcessEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_ProcessEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml
index 9b2d1aaf059..f7fc02357af 100644
--- a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Registry Event ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Registry event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_RegistryEvent_Product>
+ParserName: <ASimRegistryEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_RegistryEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml
index 25aee7cfddd..20e8ffbac02 100644
--- a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: User Management activity ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM User Management activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_UserManagement_Product>
+ParserName: <ASimUserManagementVendor+Product>
+EquivalentBuiltInParser: <_ASim_UserManagement_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml
index abbeb912d92..ce935389811 100644
--- a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Web Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_WebSession_Product>
+ParserName: <ASimWebSessionVendor+Product>
+EquivalentBuiltInParser: <_ASim_WebSession_Vendor+Product
 ParserParams:
   - Name: disabled
     Type: bool
diff --git a/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml
new file mode 100644
index 00000000000..f82271cfa02
--- /dev/null
+++ b/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml	
@@ -0,0 +1,82 @@
+Parser:
+  Title: Alert Event ASIM filtering parser for <product name>
+  Version: '0.1.0'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: AlertEvent
+  Version: '<current schema version>'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM filtering parser supports normalizing the <product name> logs to the ASIM Alert normalized schema.
+ParserName: <vimAlertEventVendor+Product>
+EquivalentBuiltInParser: <_Im_AlertEvent_Vendor+Product>
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: username_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktactics_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktechniques_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: threatcategory_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: alertverdict_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventseverity_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    starttime: datetime=datetime(null), 
+        endtime: datetime=datetime(null), 
+        ipaddr_has_any_prefix: dynamic=dynamic([]),
+        hostname_has_any: dynamic=dynamic([]),
+        username_has_any: dynamic=dynamic([]),
+        attacktactics_has_any: dynamic=dynamic([]),
+        attacktechniques_has_any: dynamic=dynamic([]),
+        threatcategory_has_any: dynamic=dynamic([]),
+        alertverdict_has_any: dynamic=dynamic([]),
+        eventseverity_has_any: dynamic=dynamic([]),
+        disabled:bool=false
+  )
+  {
+    <parser query body>
+  };
+  parser (
+        starttime = starttime, 
+        endtime = endtime, 
+        ipaddr_has_any_prefix = ipaddr_has_any_prefix,
+        hostname_has_any = hostname_has_any,
+        username_has_any = username_has_any,
+        attacktactics_has_any = attacktactics_has_any,
+        attacktechniques_has_any = attacktechniques_has_any,
+        threatcategory_has_any = threatcategory_has_any,
+        alertverdict_has_any = alertverdict_has_any,
+        eventseverity_has_any = eventseverity_has_any,
+        disabled = disabled
+  )
diff --git a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml
index 3b4a2fc7d01..28fbaca7695 100644
--- a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Audit Event ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports normalizing the <product name> logs to the ASIM Audit Event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_AuditEvent_Product>
+ParserName: <ASimAuditEventVendor+Product>
+EquivalentBuiltInParser: <_Im_AuditEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml
index 5df2091d903..b9f093f108b 100644
--- a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Authentication ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_Authentication_Product>
+ParserName: <ASimAuthenticationVendor+Product>
+EquivalentBuiltInParser: <_Im_Authentication_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml
index 4a10b9ee264..a07c0f1a862 100644
--- a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml	
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
-ParserName: <vimDhcpEventProduct>
-EquivalentBuiltInParser: <_Im_DhcpEvent_Product>
+ParserName: <ASimDhcpEventVendor+Product>
+EquivalentBuiltInParser: <_Im_DhcpEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml
index 8d85587e4f2..bb4cdd22515 100644
--- a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: DNS activity ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM DNS activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_Dns_Product>
+ParserName: <ASimDnsVendor+Product>
+EquivalentBuiltInParser: <_Im_Dns_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml
index d153ea2c5f1..c3fa3de879e 100644
--- a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: File events ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports normalizing the <product name> logs to the ASIM file activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_FileEvent_Product>
+ParserName: <ASimFileEventVendor+Product>
+EquivalentBuiltInParser: <_Im_FileEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml
index 43cb268866d..8d238ca37a3 100644
--- a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Network Session ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing <product name> logs to the ASIM Network Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_NetworkSession_Product>
+ParserName: <ASimNetworkSessionVendor+Product>
+EquivalentBuiltInParser: <_Im_NetworkSession_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml
index 6d29557cbdf..23f09bdace1 100644
--- a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Process event ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ references:
   Link: https:/aka.ms/AboutASIM
 Description:
   This ASIM filtering parser supports normalizing the <product name> logs to the ASIM process event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_ProcessEvent_Product>
+ParserName: <ASimProcessEventVendor+Product>
+EquivalentBuiltInParser: <_Im_ProcessEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml
index 0c3c985f48d..1b5b8142965 100644
--- a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Registry Event ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports normalizing <product name> logs to the ASIM Registry event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_RegistryEvent_Product>
+ParserName: <ASimRegistryEventVendor+Product>
+EquivalentBuiltInParser: <_Im_RegistryEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml
index fcbc9181939..4d13c60d852 100644
--- a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: User Management activity ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports normalizing the <product name> logs to the ASIM User Management activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_UserManagement_Product>
+ParserName: <ASimUserManagementVendor+Product>
+EquivalentBuiltInParser: <_Im_UserManagement_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml
index a2291be6ded..b958e0e61b9 100644
--- a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml	
+++ b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml	
@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing <product name> logs to the ASIM Web Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_WebSession_Product>
+ParserName: <ASimWebSessionVendor+Product>
+EquivalentBuiltInParser: <_Im_WebSession_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
new file mode 100644
index 00000000000..64b4cf2a02d
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAlertEvent",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM parser",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAlertEvent",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n  ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n",
+            "version": 1,
+            "functionParameters": "pack:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md
new file mode 100644
index 00000000000..dd7d8c8df5d
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md
@@ -0,0 +1,18 @@
+# Source agnostic ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Source agnostic.
+
+This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEvent%2FASimAlertEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEvent%2FASimAlertEvent.json)
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json
new file mode 100644
index 00000000000..9184630b92e
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAlertEventMicrosoftDefenderXDR",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM parser for Microsoft Defender XDR",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAlertEventMicrosoftDefenderXDR",
+            "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n    [\n    \"Related\", \"Associated\",\n    \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n    [\n    \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n    [\n    \"Malicious\", \"True Positive\",\n    \"Suspicious\", \"True Positive\",\n    \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\n    disabled: bool=false) {\n    AlertEvidence\n    | where not(disabled)\n    // Mapping Inspection Fields\n    | extend \n        EventUid = AlertId,\n        AlertName = Title,\n        AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n        AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n        AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n        AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n        AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n        DetectionMethod = DetectionSource\n    | lookup AlertVerdictLookup on AlertVerdict_Custom\n    | lookup IndicatorTypeLookup on EntityType\n    | lookup IndicatorAssociationLookup on EvidenceRole\n    // Mapping Threat Fields\n    | extend\n        ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n    // Mapping User Entity\n    | extend \n        UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n        UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n        Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n        UserSessionId = tostring(AdditionalFields.SessionId),\n        UserScopeId = tostring(AdditionalFields.AadTenantId),\n        HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n    | extend\n        UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n        UserId = coalesce(UserId, UserSid),\n        UserType = _ASIM_GetUserType(Username, UserSid),\n        UsernameType = _ASIM_GetUsernameType(Username)\n    // Mapping Device Entity\n    | extend \n        DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n        DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n        DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n        DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n        DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n        DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n    | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n    | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n    // Mapping Additional Fields\n    | extend\n        GeoCity_s = AdditionalFields.Location.City,\n        GeoCountry_s = AdditionalFields.Location.CountryCode,\n        GeoLatitude_s = AdditionalFields.Location.Latitude,\n        GeoLongitude_s = AdditionalFields.Location.Longitude,\n        GeoRegion_s = AdditionalFields.Location.State\n    // Mapping Process Entity\n    | extend \n        ProcessId = AdditionalFields.ProcessId,\n        ProcessCommandLine,\n        ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n        ProcessFileCompany = AdditionalFields.Publisher,\n        // Parent Process Fields\n        ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n        ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n        ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n        ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n        ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n        ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n    // Mapping File Entity\n    | extend \n        FileName,\n        FileDirectory = FolderPath,\n        FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n        FileSHA1 = SHA1,\n        FileSHA256 = SHA256,\n        FileMD5 = AdditionalFields.FileHashes[1].Value,\n        FileSize = FileSize\n    // Mapping Url Entity\n    | extend \n        Url = RemoteUrl\n    // Mapping Registry Entity\n    | extend \n        RegistryKey,\n        RegistryValue = RegistryValueName,\n        RegistryValueData,\n        ValueType = tostring(AdditionalFields.ValueType)\n    | lookup RegistryValueTypeLookup on ValueType\n    // Mapping Application Entity\n    | extend \n        AppId_s = ApplicationId,\n        AppName_s = Application\n    // Mapping Email Entity\n    | extend \n        EmailMessageId = NetworkMessageId,\n        EmailSubject\n    | extend AdditionalFields = bag_pack(\n                                \"AlertVerdictDate\",\n                                AlertVerdictDate_s,\n                                \"HttpUserAgent\",\n                                HttpUserAgent_s,\n                                \"GeoCity\",\n                                GeoCity_s,\n                                \"GeoCountry\",\n                                GeoCountry_s,\n                                \"GeoLatitude\",\n                                GeoLatitude_s,\n                                \"GeoLongitude\",\n                                GeoLongitude_s,\n                                \"GeoRegion\",\n                                GeoRegion_s,\n                                \"ParentProcessId\",\n                                ParentProcessId_s,\n                                \"ParentProcessCommandLine\",\n                                ParentProcessCommandLine_s,\n                                \"ParentProcessName\",\n                                ParentProcessName_s,\n                                \"ParentProcessSHA256\",\n                                ParentProcessSHA256_s,\n                                \"ParentProcessMD5\",\n                                ParentProcessMD5_s\n                            )\n    // Mapping common event fields\n    | extend\n        EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n        EventEndTime = TimeGenerated,\n        EventStartTime = TimeGenerated,\n        EventProduct = ServiceSource,\n        EventVendor = 'Microsoft',\n        EventSchema = 'AlertEvent',\n        EventSchemaVersion = '0.1',\n        EventType = 'Alert',\n        EventCount = int(1)\n    // MApping Alias\n    | extend \n        IpAddr = DvcIpAddr,\n        Hostname = DvcHostname,\n        User = Username\n    | project-away\n        Title,\n        Categories,\n        EntityType,\n        EvidenceRole,\n        DetectionSource,\n        ServiceSource,\n        ThreatFamily,\n        RemoteIP,\n        RemoteUrl,\n        AccountName,\n        AccountDomain,\n        DeviceName,\n        LocalIP,\n        AlertVerdict_Custom,\n        EvidenceDirection,\n        Account*,\n        ApplicationId,\n        Application,\n        *_s\n};\nparser(\n    disabled = disabled\n)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md
new file mode 100644
index 00000000000..8e655ffa98b
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md
@@ -0,0 +1,18 @@
+# Microsoft Defender XDR ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Microsoft Defender XDR.
+
+This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventMicrosoftDefenderXDR%2FASimAlertEventMicrosoftDefenderXDR.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventMicrosoftDefenderXDR%2FASimAlertEventMicrosoftDefenderXDR.json)
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json
new file mode 100644
index 00000000000..8a16b3f6868
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAlertEventSentinelOneSingularity",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAlertEventSentinelOneSingularity",
+            "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n  [\n  \"Undefined\", \"Unknown\",\n  \"true_positive\", \"True Positive\",\n  \"suspicious\", \"True Positive\",\n  \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n    threatInfo_engines_s: string,\n    DetectionMethod: string\n)\n    [\n    \"Intrusion Detection\", \"Intrusion Detection\",\n    \"User-Defined Blocklist\", \"User Defined Blocked List\",\n    \"Reputation\", \"Reputation\"\n];\nlet parser = (\n    disabled: bool=false) {\n    SentinelOne_CL\n    | where not(disabled)\n    | where event_name_s in (\"Threats.\")\n    // Mapping Inspection Fields\n    | extend \n      AlertId = threatInfo_threatId_s,\n      AlertName = threatInfo_threatName_s,\n      AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n      AlertOriginalStatus = threatInfo_incidentStatus_s,\n      Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n      ThreatId = threatInfo_threatId_s,\n      ThreatName = threatInfo_threatName_s,\n      ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n      ThreatLastReportedTime = threatInfo_updatedAt_t,\n      ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n      ThreatOriginalCategory = threatInfo_classification_s\n  | extend\n      AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n      AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n  | project-away Names\n  | lookup DetectionMethodLookup on threatInfo_engines_s\n  | extend analystVerdict_s = threatInfo_analystVerdict_s\n  | lookup AlertVerdictLookup on analystVerdict_s\n    // Mapping Dvc Fields\n    | extend \n        DvcHostname = agentRealtimeInfo_agentComputerName_s,\n        DvcOs =  agentRealtimeInfo_agentOsName_s,\n        DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,\n        DvcId =  agentRealtimeInfo_agentId_s,\n        DvcIdType = \"Other\",\n        DvcDomain = agentRealtimeInfo_agentDomain_s,\n        DvcDomainType = \"Windows\",\n        DvcIpAddr = agentDetectionInfo_agentIpV4_s\n    // Mapping Process Entity\n    | extend\n        ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n        ProcessName = threatInfo_originatorProcess_s\n    // Mapping File Fields\n    | extend \n        FileMD5 = threatInfo_md5_g,\n        FileSHA1 = threatInfo_sha1_s,\n        FileSHA256 = threatInfo_sha256_s,\n        FilePath=threatInfo_filePath_s,\n        FileSize = threatInfo_fileSize_d\n    // Mapping User Fields\n    | extend \n        Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n    | extend UsernameType = _ASIM_GetUsernameType(Username)\n    // Event Fields\n    | extend\n        EventType = 'Alert',\n        EventOriginalType = event_name_s,\n        EventUid = threatInfo_threatId_s,\n        EventCount = int(1),\n        EventEndTime = TimeGenerated,\n        EventStartTime = TimeGenerated,\n        EventProduct = 'Singularity',\n        EventVendor = 'SentinelOne',\n        EventSchemaVersion = '0.1',\n        EventSchema = \"AlertEvent\"\n    | extend EventSubType = \"Threat\"\n    // Aliases\n    | extend\n        IpAddr = DvcIpAddr,\n        User = Username,\n        Hostname = DvcHostname\n    | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n    disabled = disabled\n)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md
new file mode 100644
index 00000000000..33136ba8125
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md
@@ -0,0 +1,18 @@
+# SentinelOne ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for SentinelOne.
+
+This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventSentinelOneSingularity%2FASimAlertEventSentinelOneSingularity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventSentinelOneSingularity%2FASimAlertEventSentinelOneSingularity.json)
diff --git a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
new file mode 100644
index 00000000000..511d954dd5f
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
@@ -0,0 +1,163 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAlertEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAlertEventMicrosoftDefenderXDR",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAlertEventSentinelOneSingularity",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedimAlertEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAlertEventEmpty",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAlertEventMicrosoftDefenderXDR",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAlertEventSentinelOneSingularity",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {}
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/README.md b/Parsers/ASimAlertEvent/ARM/README.md
new file mode 100644
index 00000000000..16b73ae5710
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/README.md
@@ -0,0 +1,17 @@
+# Advanced Security Information Model (ASIM) AlertEvent parsers 
+
+This template deploys all ASIM AlertEvent parsers.
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAlertEventARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAlertEventARMgov)
+
+<br>
diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md b/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md
new file mode 100644
index 00000000000..fa5309b353d
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md
@@ -0,0 +1,18 @@
+# Source agnostic ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Source agnostic.
+
+This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FimAlertEvent%2FimAlertEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FimAlertEvent%2FimAlertEvent.json)
diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
new file mode 100644
index 00000000000..62cf5a1abda
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "imAlertEvent",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM filtering parser",
+            "category": "ASIM",
+            "FunctionAlias": "imAlertEvent",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n  starttime: datetime=datetime(null), \n      endtime: datetime=datetime(null), \n      ipaddr_has_any_prefix: dynamic=dynamic([]),\n      hostname_has_any: dynamic=dynamic([]),\n      username_has_any: dynamic=dynamic([]),\n      attacktactics_has_any: dynamic=dynamic([]),\n      attacktechniques_has_any: dynamic=dynamic([]),\n      threatcategory_has_any: dynamic=dynamic([]),\n      alertverdict_has_any: dynamic=dynamic([]),\n      eventseverity_has_any: dynamic=dynamic([]),\n      pack:bool=false)\n{\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n  vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md
new file mode 100644
index 00000000000..b64b1516851
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md
@@ -0,0 +1,18 @@
+# Microsoft ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Microsoft.
+
+This function returns an empty ASIM Dhcp Event schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventEmpty%2FvimAlertEventEmpty.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventEmpty%2FvimAlertEventEmpty.json)
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json
new file mode 100644
index 00000000000..d47f9a14ad1
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAlertEventEmpty",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM schema function",
+            "category": "ASIM",
+            "FunctionAlias": "vimAlertEventEmpty",
+            "query": "let EmptyAlertEvents =datatable (\n  TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, AdditionalFields:dynamic\n, EventCount:int\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EvenMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventOriginalSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOwner:string\n, EventOriginalType:string\n, EventOriginalSubType:string\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult:string\n, EventStartTime:datetime\n, EventUid:string\n//****** Device fields ******\n, DvcAction:string\n, DvcDescription:string\n, DvcId:string\n, DvcIdType:string\n, DvcInterface:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcOriginalAction:string\n, DvcScope:string\n, DvcScopeId:string\n, DvcFQDN:string\n, DvcZone:string\n//****** Inspection fields ******\n, AlertId:string\n, AlertName:string\n, AlertDescription:string\n, AlertStatus:string\n, AlertOriginalStatus:string\n, AlertVerdict:string\n, AttackTactics:string\n, AttackTechniques:string\n, AttackRemediationSteps:string\n, IndicatorType:string\n, IndicatorAssociation:string\n, DetectionMethod:string\n, Rule: string\n, RuleNumber:int\n, RuleName:string\n, RuleDescription:string\n, ThreatId:string\n, ThreatName:string\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatCategory:string\n, ThreatOriginalCategory:string\n, ThreatIsActive:bool\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n//****** Source User fields ******\n, UserId:string\n, UserTdType:string\n, Username:string\n, UsernameType:string\n, UserType:string\n, OriginalUserType:string\n, SessionId:string\n, UserScopeId:string\n, UserScope:string\n//****** Process fields ******\n, ProcessId:string\n, ProcessName:string\n, ProcessCommandLine:string\n, ProcessFileCompany:string\n//****** File fields ******\n, FileName:string\n, FilePath:string\n, FileSHA1:string\n, FileMD5:string\n, FileSHA256:string\n, FileSize:int\n//****** Registry fields ******\n, RegistryKey:string\n, RegistryValue:string\n, RegistryValueType:string\n, RegistryValueData:string\n//****** Email fields ******\n, EmailSubject:string\n, EmailMessageId:string\n//****** Url fields ******\n, Url:string\n//****** Aliases ******\n, IpAddr:string\n, Hostname:string\n, User:string\n)[];\nEmptyAlertEvents",
+            "version": 1
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md
new file mode 100644
index 00000000000..31caa77e5c1
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md
@@ -0,0 +1,18 @@
+# Microsoft Defender XDR ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for Microsoft Defender XDR.
+
+This ASIM parser supports normalizing and filtering the Microsoft Defender XDR logs to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventMicrosoftDefenderXDR%2FvimAlertEventMicrosoftDefenderXDR.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventMicrosoftDefenderXDR%2FvimAlertEventMicrosoftDefenderXDR.json)
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json
new file mode 100644
index 00000000000..8656327fbc5
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAlertEventMicrosoftDefenderXDR",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM filtering parser for Microsoft Defender XDR",
+            "category": "ASIM",
+            "FunctionAlias": "vimAlertEventMicrosoftDefenderXDR",
+            "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n     [\n     \"User\", \"User\",\n     \"Machine\", \"Host\",\n     \"Process\", \"Process\",\n     \"File\", \"File\",\n     \"Ip\", \"Ip\",\n     \"Url\", \"Url\",\n     \"RegistryValue\", \"Registry\",\n     \"CloudLogonSession\", \"LogonSession\",\n     \"CloudApplication\", \"Application\",\n     \"Mailbox\", \"Mailbox\",\n     \"MailMessage\", \"Email\",\n     \"CloudResource\", \"Cloud Resource\"\n ];\n let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n     [\n     \"Related\", \"Associated\",\n     \"Impacted\", \"Targeted\"\n ];\n let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n     [\n     \"ExpandString\", \"Reg_Expand_Sz\"\n ];\n let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n     [\n     \"Malicious\", \"True Positive\",\n     \"Suspicious\", \"True Positive\",\n     \"NoThreatsFound\", \"Benign Positive\"\n ];\n let AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\n let ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\n let parser = (\n     starttime: datetime=datetime(null), \n     endtime: datetime=datetime(null), \n     ipaddr_has_any_prefix: dynamic=dynamic([]),\n     hostname_has_any: dynamic=dynamic([]),\n     username_has_any: dynamic=dynamic([]),\n     attacktactics_has_any: dynamic=dynamic([]),\n     attacktechniques_has_any: dynamic=dynamic([]),\n     threatcategory_has_any: dynamic=dynamic([]),\n     alertverdict_has_any: dynamic=dynamic([]),\n     eventseverity_has_any: dynamic=dynamic([]),\n     disabled: bool=false) {\n     AlertEvidence\n     | where not(disabled)\n     | where (isnull(starttime) or TimeGenerated >= starttime)\n         and (isnull(endtime) or TimeGenerated <= endtime)\n         and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n         and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n         and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n         and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n         and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n         // ThreatCategory filtering done later in the parser\n         // AlertVerdict filtering done later in the parser\n         and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n     // Mapping Inspection Fields\n     | extend \n         EventUid = AlertId,\n         AlertName = Title,\n         AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n         AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n         AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n         AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n         AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n         DetectionMethod = DetectionSource\n     | lookup AlertVerdictLookup on AlertVerdict_Custom\n     // Filter for AlertVerdict\n     | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n     | lookup IndicatorTypeLookup on EntityType\n     | lookup IndicatorAssociationLookup on EvidenceRole\n     // Mapping Threat Fields\n     | extend\n         ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n     // Filter for ThreatCategory\n     | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n     // Mapping User Entity\n     | extend \n         UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n         UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n         Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n         UserSessionId = tostring(AdditionalFields.SessionId),\n         UserScopeId = tostring(AdditionalFields.AadTenantId),\n         HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n     | extend\n         UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n         UserId = coalesce(UserId, UserSid),\n         UserType = _ASIM_GetUserType(Username, UserSid),\n         UsernameType = _ASIM_GetUsernameType(Username)\n     // Mapping Device Entity\n     | extend \n         DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n         DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n         DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n         DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n         DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n         DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n     | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n     | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n     // Mapping Additional Fields\n     | extend\n         GeoCity_s = AdditionalFields.Location.City,\n         GeoCountry_s = AdditionalFields.Location.CountryCode,\n         GeoLatitude_s = AdditionalFields.Location.Latitude,\n         GeoLongitude_s = AdditionalFields.Location.Longitude,\n         GeoRegion_s = AdditionalFields.Location.State\n     // Mapping Process Entity\n     | extend \n         ProcessId = AdditionalFields.ProcessId,\n         ProcessCommandLine,\n         ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n         ProcessFileCompany = AdditionalFields.Publisher,\n         // Parent Process Fields\n         ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n         ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n         ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n         ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n         ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n         ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n     // Mapping File Entity\n     | extend \n         FileName,\n         FileDirectory = FolderPath,\n         FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n         FileSHA1 = SHA1,\n         FileSHA256 = SHA256,\n         FileMD5 = AdditionalFields.FileHashes[1].Value,\n         FileSize = FileSize\n     // Mapping Url Entity\n     | extend \n         Url = RemoteUrl\n     // Mapping Registry Entity\n     | extend \n         RegistryKey,\n         RegistryValue = RegistryValueName,\n         RegistryValueData,\n         ValueType = tostring(AdditionalFields.ValueType)\n     | lookup RegistryValueTypeLookup on ValueType\n     // Mapping Application Entity\n     | extend \n         AppId_s = ApplicationId,\n         AppName_s = Application\n     // Mapping Email Entity\n     | extend \n         EmailMessageId = NetworkMessageId,\n         EmailSubject\n     | extend AdditionalFields = bag_pack(\n                                 \"AlertVerdictDate\",\n                                 AlertVerdictDate_s,\n                                 \"HttpUserAgent\",\n                                 HttpUserAgent_s,\n                                 \"GeoCity\",\n                                 GeoCity_s,\n                                 \"GeoCountry\",\n                                 GeoCountry_s,\n                                 \"GeoLatitude\",\n                                 GeoLatitude_s,\n                                 \"GeoLongitude\",\n                                 GeoLongitude_s,\n                                 \"GeoRegion\",\n                                 GeoRegion_s,\n                                 \"ParentProcessId\",\n                                 ParentProcessId_s,\n                                 \"ParentProcessCommandLine\",\n                                 ParentProcessCommandLine_s,\n                                 \"ParentProcessName\",\n                                 ParentProcessName_s,\n                                 \"ParentProcessSHA256\",\n                                 ParentProcessSHA256_s,\n                                 \"ParentProcessMD5\",\n                                 ParentProcessMD5_s\n                             )\n     // Mapping common event fields\n     | extend\n         EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n         EventEndTime = TimeGenerated,\n         EventStartTime = TimeGenerated,\n         EventProduct = ServiceSource,\n         EventVendor = 'Microsoft',\n         EventSchema = 'AlertEvent',\n         EventSchemaVersion = '0.1',\n         EventType = 'Alert',\n         EventCount = int(1)\n     // MApping Alias\n     | extend \n         IpAddr = DvcIpAddr,\n         Hostname = DvcHostname,\n         User = Username\n     | project-away\n         Title,\n         Categories,\n         EntityType,\n         EvidenceRole,\n         DetectionSource,\n         ServiceSource,\n         ThreatFamily,\n         RemoteIP,\n         RemoteUrl,\n         AccountName,\n         AccountDomain,\n         DeviceName,\n         LocalIP,\n         AlertVerdict_Custom,\n         EvidenceDirection,\n         Account*,\n         ApplicationId,\n         Application,\n         *_s\n };\n parser(\n     starttime = starttime, \n     endtime = endtime, \n     ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n     hostname_has_any = hostname_has_any,\n     username_has_any = username_has_any,\n     attacktactics_has_any = attacktactics_has_any,\n     attacktechniques_has_any = attacktechniques_has_any,\n     threatcategory_has_any = threatcategory_has_any,\n     alertverdict_has_any = alertverdict_has_any,\n     eventseverity_has_any = eventseverity_has_any,\n     disabled = disabled\n )\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md
new file mode 100644
index 00000000000..27b49ecb962
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md
@@ -0,0 +1,18 @@
+# SentinelOne ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for SentinelOne.
+
+This ASIM parser supports normalizing and filtering the SentinelOne alerts to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventSentinelOneSingularity%2FvimAlertEventSentinelOneSingularity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventSentinelOneSingularity%2FvimAlertEventSentinelOneSingularity.json)
diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json
new file mode 100644
index 00000000000..447a4b34eba
--- /dev/null
+++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAlertEventSentinelOneSingularity",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Alert Event ASIM filtering parser for SentinelOne Singularity platform",
+            "category": "ASIM",
+            "FunctionAlias": "vimAlertEventSentinelOneSingularity",
+            "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n  [\n  \"Undefined\", \"Unknown\",\n  \"true_positive\", \"True Positive\",\n  \"suspicious\", \"True Positive\",\n  \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n    threatInfo_engines_s: string,\n    DetectionMethod: string\n)\n    [\n    \"Intrusion Detection\", \"Intrusion Detection\",\n    \"User-Defined Blocklist\", \"User Defined Blocked List\",\n    \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    ipaddr_has_any_prefix: dynamic=dynamic([]),\n    hostname_has_any: dynamic=dynamic([]),\n    username_has_any: dynamic=dynamic([]),\n    attacktactics_has_any: dynamic=dynamic([]),\n    attacktechniques_has_any: dynamic=dynamic([]),\n    threatcategory_has_any: dynamic=dynamic([]),\n    alertverdict_has_any: dynamic=dynamic([]),\n    eventseverity_has_any: dynamic=dynamic([]),\n    disabled: bool=false) {\n    SentinelOne_CL\n    | where not(disabled)\n    | where event_name_s in (\"Threats.\")\n    | where (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n        and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n        //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n        and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n        and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n        // ThreatCategory filtering done later in the parser\n        // AlertVerdict filtering done later in the parser\n        and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n    // Mapping Inspection Fields\n    | extend \n        AlertId = threatInfo_threatId_s,\n        AlertName = threatInfo_threatName_s,\n        AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n        AlertOriginalStatus = threatInfo_incidentStatus_s,\n        Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n        ThreatId = threatInfo_threatId_s,\n        ThreatName = threatInfo_threatName_s,\n        ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n        ThreatLastReportedTime = threatInfo_updatedAt_t,\n        ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n        ThreatOriginalCategory = threatInfo_classification_s\n    // Filter for ThreatCategory\n    | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n    | extend\n        AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n        AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n    | project-away Names\n    | lookup DetectionMethodLookup on threatInfo_engines_s\n    | extend analystVerdict_s = threatInfo_analystVerdict_s\n    | lookup AlertVerdictLookup on analystVerdict_s\n    // Filter for AlertVerdict\n    | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n    // Mapping Dvc Fields\n    | extend \n        DvcHostname = agentRealtimeInfo_agentComputerName_s,\n        DvcOs =  agentRealtimeInfo_agentOsName_s,\n        DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,\n        DvcId =  agentRealtimeInfo_agentId_s,\n        DvcIdType = \"Other\",\n        DvcDomain = agentRealtimeInfo_agentDomain_s,\n        DvcDomainType = \"Windows\",\n        DvcIpAddr = agentDetectionInfo_agentIpV4_s\n    // Mapping Process Entity\n    | extend\n        ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n        ProcessName = threatInfo_originatorProcess_s\n    // Mapping File Fields\n    | extend \n        FileMD5 = threatInfo_md5_g,\n        FileSHA1 = threatInfo_sha1_s,\n        FileSHA256 = threatInfo_sha256_s,\n        FilePath=threatInfo_filePath_s,\n        FileSize = threatInfo_fileSize_d\n    // Mapping User Fields\n      | extend \n          Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n    | extend UsernameType = _ASIM_GetUsernameType(Username)\n    // Event Fields\n    | extend\n        EventType = 'Alert',\n        EventOriginalType = event_name_s,\n        EventUid = threatInfo_threatId_s,\n        EventCount = int(1),\n        EventEndTime = TimeGenerated,\n        EventStartTime = TimeGenerated,\n        EventProduct = 'Singularity',\n        EventVendor = 'SentinelOne',\n        EventSchemaVersion = '0.1',\n        EventSchema = \"AlertEvent\"\n    | extend EventSubType = \"Threat\"\n    // Aliases\n    | extend\n        IpAddr = DvcIpAddr,\n        User = Username,\n        Hostname = DvcHostname\n    | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n    starttime = starttime, \n    endtime = endtime, \n    ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n    hostname_has_any = hostname_has_any,\n    username_has_any = username_has_any,\n    attacktactics_has_any = attacktactics_has_any,\n    attacktechniques_has_any = attacktechniques_has_any,\n    threatcategory_has_any = threatcategory_has_any,\n    alertverdict_has_any = alertverdict_has_any,\n    eventseverity_has_any = eventseverity_has_any,\n    disabled = disabled\n)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
new file mode 100644
index 00000000000..c2a89f06e56
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
@@ -0,0 +1,36 @@
+Parser:
+  Title: Alert Event ASIM parser
+  Version: '0.1.0'
+  LastUpdated: Oct 18, 2024
+Product:
+  Name: Source agnostic
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema.
+ParserName: ASimAlertEvent
+EquivalentBuiltInParser: _ASim_AlertEvent
+Parsers:
+  - _Im_AlertEvent_Empty
+  - _ASim_AlertEvent_MicrosoftDefenderXDR
+  - _ASim_AlertEvent_SentinelOneSingularity
+ParserParams:
+  - Name: pack
+    Type: bool
+    Default: false
+ParserQuery: |
+  let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
+  let ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
+  let parser=(pack:bool=false){
+  union isfuzzy=true
+    vimAlertEventEmpty,
+    ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),
+    ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
+  }; 
+  parser (pack=pack)
diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml
new file mode 100644
index 00000000000..00b2d8ca3f7
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml
@@ -0,0 +1,211 @@
+Parser:
+  Title: Alert Event ASIM parser for Microsoft Defender XDR
+  Version: '0.1.0'
+  LastUpdated: Oct 09, 2024
+Product:
+  Name: Microsoft Defender XDR
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema.
+ParserName: ASimAlertEventMicrosoftDefenderXDR
+EquivalentBuiltInParser: _ASim_AlertEvent_MicrosoftDefenderXDR
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+    let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)
+    [
+    "User", "User",
+    "Machine", "Host",
+    "Process", "Process",
+    "File", "File",
+    "Ip", "Ip",
+    "Url", "Url",
+    "RegistryValue", "Registry",
+    "CloudLogonSession", "LogonSession",
+    "CloudApplication", "Application",
+    "Mailbox", "Mailbox",
+    "MailMessage", "Email",
+    "CloudResource", "Cloud Resource"
+    ];
+    let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)
+        [
+        "Related", "Associated",
+        "Impacted", "Targeted"
+    ];
+    let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)
+        [
+        "ExpandString", "Reg_Expand_Sz"
+    ];
+    let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)
+        [
+        "Malicious", "True Positive",
+        "Suspicious", "True Positive",
+        "NoThreatsFound", "Benign Positive"
+    ];
+    let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]);
+    let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]);
+    let parser = (
+        disabled: bool=false) {
+        AlertEvidence
+        | where not(disabled)
+        // Mapping Inspection Fields
+        | extend 
+            EventUid = AlertId,
+            AlertName = Title,
+            AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),
+            AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),
+            AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""),
+            AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),
+            AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""),
+            DetectionMethod = DetectionSource
+        | lookup AlertVerdictLookup on AlertVerdict_Custom
+        | lookup IndicatorTypeLookup on EntityType
+        | lookup IndicatorAssociationLookup on EvidenceRole
+        // Mapping Threat Fields
+        | extend
+            ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "")
+        // Mapping User Entity
+        | extend 
+            UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),
+            UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),
+            Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),
+            UserSessionId = tostring(AdditionalFields.SessionId),
+            UserScopeId = tostring(AdditionalFields.AadTenantId),
+            HttpUserAgent_s = tostring(AdditionalFields.UserAgent)
+        | extend
+            UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")),
+            UserId = coalesce(UserId, UserSid),
+            UserType = _ASIM_GetUserType(Username, UserSid),
+            UsernameType = _ASIM_GetUsernameType(Username)
+        // Mapping Device Entity
+        | extend 
+            DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),
+            DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),
+            DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),
+            DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),
+            DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),
+            DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2])))
+        | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "")
+        | invoke _ASIM_ResolveDvcFQDN("DeviceName")
+        // Mapping Additional Fields
+        | extend
+            GeoCity_s = AdditionalFields.Location.City,
+            GeoCountry_s = AdditionalFields.Location.CountryCode,
+            GeoLatitude_s = AdditionalFields.Location.Latitude,
+            GeoLongitude_s = AdditionalFields.Location.Longitude,
+            GeoRegion_s = AdditionalFields.Location.State
+        // Mapping Process Entity
+        | extend 
+            ProcessId = AdditionalFields.ProcessId,
+            ProcessCommandLine,
+            ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""),
+            ProcessFileCompany = AdditionalFields.Publisher,
+            // Parent Process Fields
+            ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,
+            ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,
+            ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""),
+            ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,
+            ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,
+            ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5
+        // Mapping File Entity
+        | extend 
+            FileName,
+            FileDirectory = FolderPath,
+            FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName),
+            FileSHA1 = SHA1,
+            FileSHA256 = SHA256,
+            FileMD5 = AdditionalFields.FileHashes[1].Value,
+            FileSize = FileSize
+        // Mapping Url Entity
+        | extend 
+            Url = RemoteUrl
+        // Mapping Registry Entity
+        | extend 
+            RegistryKey,
+            RegistryValue = RegistryValueName,
+            RegistryValueData,
+            ValueType = tostring(AdditionalFields.ValueType)
+        | lookup RegistryValueTypeLookup on ValueType
+        // Mapping Application Entity
+        | extend 
+            AppId_s = ApplicationId,
+            AppName_s = Application
+        // Mapping Email Entity
+        | extend 
+            EmailMessageId = NetworkMessageId,
+            EmailSubject
+        | extend AdditionalFields = bag_pack(
+                                    "AlertVerdictDate",
+                                    AlertVerdictDate_s,
+                                    "HttpUserAgent",
+                                    HttpUserAgent_s,
+                                    "GeoCity",
+                                    GeoCity_s,
+                                    "GeoCountry",
+                                    GeoCountry_s,
+                                    "GeoLatitude",
+                                    GeoLatitude_s,
+                                    "GeoLongitude",
+                                    GeoLongitude_s,
+                                    "GeoRegion",
+                                    GeoRegion_s,
+                                    "ParentProcessId",
+                                    ParentProcessId_s,
+                                    "ParentProcessCommandLine",
+                                    ParentProcessCommandLine_s,
+                                    "ParentProcessName",
+                                    ParentProcessName_s,
+                                    "ParentProcessSHA256",
+                                    ParentProcessSHA256_s,
+                                    "ParentProcessMD5",
+                                    ParentProcessMD5_s
+                                )
+        // Mapping common event fields
+        | extend
+            EventSubType = "Threat", // All events in AlertEvidence contains threat info
+            EventEndTime = TimeGenerated,
+            EventStartTime = TimeGenerated,
+            EventProduct = ServiceSource,
+            EventVendor = 'Microsoft',
+            EventSchema = 'AlertEvent',
+            EventSchemaVersion = '0.1',
+            EventType = 'Alert',
+            EventCount = int(1)
+        // MApping Alias
+        | extend 
+            IpAddr = DvcIpAddr,
+            Hostname = DvcHostname,
+            User = Username
+        | project-away
+            Title,
+            Categories,
+            EntityType,
+            EvidenceRole,
+            DetectionSource,
+            ServiceSource,
+            ThreatFamily,
+            RemoteIP,
+            RemoteUrl,
+            AccountName,
+            AccountDomain,
+            DeviceName,
+            LocalIP,
+            AlertVerdict_Custom,
+            EvidenceDirection,
+            Account*,
+            ApplicationId,
+            Application,
+            *_s
+    };
+    parser(
+        disabled = disabled
+    )
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml
new file mode 100644
index 00000000000..dbd8a8ce831
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml
@@ -0,0 +1,113 @@
+Parser:
+  Title: Alert Event ASIM parser for SentinelOne Singularity platform
+  Version: '0.1.0'
+  LastUpdated: Oct 09, 2024
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema.
+ParserName: ASimAlertEventSentinelOneSingularity
+EquivalentBuiltInParser: _ASim_AlertEvent_SentinelOneSingularity
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)
+    [
+    "Undefined", "Unknown",
+    "true_positive", "True Positive",
+    "suspicious", "True Positive",
+    "false_positive", "False Positive"
+  ];
+  let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]);
+  let DetectionMethodLookup = datatable (
+      threatInfo_engines_s: string,
+      DetectionMethod: string
+  )
+      [
+      "Intrusion Detection", "Intrusion Detection",
+      "User-Defined Blocklist", "User Defined Blocked List",
+      "Reputation", "Reputation"
+  ];
+  let parser = (
+      disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled)
+      | where event_name_s in ("Threats.")
+      // Mapping Inspection Fields
+      | extend 
+        AlertId = threatInfo_threatId_s,
+        AlertName = threatInfo_threatName_s,
+        AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"),
+        AlertOriginalStatus = threatInfo_incidentStatus_s,
+        Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s),
+        ThreatId = threatInfo_threatId_s,
+        ThreatName = threatInfo_threatName_s,
+        ThreatFirstReportedTime = threatInfo_identifiedAt_t,
+        ThreatLastReportedTime = threatInfo_updatedAt_t,
+        ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""),
+        ThreatOriginalCategory = threatInfo_classification_s
+    | extend
+        AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))),
+        AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names)))
+    | project-away Names
+    | lookup DetectionMethodLookup on threatInfo_engines_s
+    | extend analystVerdict_s = threatInfo_analystVerdict_s
+    | lookup AlertVerdictLookup on analystVerdict_s
+      // Mapping Dvc Fields
+      | extend 
+          DvcHostname = agentRealtimeInfo_agentComputerName_s,
+          DvcOs =  agentRealtimeInfo_agentOsName_s,
+          DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,
+          DvcId =  agentRealtimeInfo_agentId_s,
+          DvcIdType = "Other",
+          DvcDomain = agentRealtimeInfo_agentDomain_s,
+          DvcDomainType = "Windows",
+          DvcIpAddr = agentDetectionInfo_agentIpV4_s
+      // Mapping Process Entity
+      | extend
+          ProcessCommandLine = threatInfo_maliciousProcessArguments_s,
+          ProcessName = threatInfo_originatorProcess_s
+      // Mapping File Fields
+      | extend 
+          FileMD5 = threatInfo_md5_g,
+          FileSHA1 = threatInfo_sha1_s,
+          FileSHA256 = threatInfo_sha256_s,
+          FilePath=threatInfo_filePath_s,
+          FileSize = threatInfo_fileSize_d
+      // Mapping User Fields
+      | extend 
+          Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)
+      | extend UsernameType = _ASIM_GetUsernameType(Username)
+      // Event Fields
+      | extend
+          EventType = 'Alert',
+          EventOriginalType = event_name_s,
+          EventUid = threatInfo_threatId_s,
+          EventCount = int(1),
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventProduct = 'Singularity',
+          EventVendor = 'SentinelOne',
+          EventSchemaVersion = '0.1',
+          EventSchema = "AlertEvent"
+      | extend EventSubType = "Threat"
+      // Aliases
+      | extend
+          IpAddr = DvcIpAddr,
+          User = Username,
+          Hostname = DvcHostname
+      | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d
+  };
+  parser (
+      disabled = disabled
+  )
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
new file mode 100644
index 00000000000..7bd90619955
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
@@ -0,0 +1,78 @@
+Parser:
+  Title: Alert Event ASIM filtering parser
+  Version: '0.1.0'
+  LastUpdated: Mar 11 2024
+Product:
+  Name: Source agnostic
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+    This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema.
+ParserName: imAlertEvent
+EquivalentBuiltInParser: _Im_AlertEvent
+Parsers:
+  - _Im_AlertEvent_Empty
+  - _Im_AlertEvent_MicrosoftDefenderXDR
+  - _Im_AlertEvent_SentinelOneSingularity
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: username_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktactics_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktechniques_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: threatcategory_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: alertverdict_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventseverity_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: pack
+    Type: bool
+    Default: false
+ParserQuery: |
+  let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
+  let vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
+  let parser=(
+    starttime: datetime=datetime(null), 
+        endtime: datetime=datetime(null), 
+        ipaddr_has_any_prefix: dynamic=dynamic([]),
+        hostname_has_any: dynamic=dynamic([]),
+        username_has_any: dynamic=dynamic([]),
+        attacktactics_has_any: dynamic=dynamic([]),
+        attacktechniques_has_any: dynamic=dynamic([]),
+        threatcategory_has_any: dynamic=dynamic([]),
+        alertverdict_has_any: dynamic=dynamic([]),
+        eventseverity_has_any: dynamic=dynamic([]),
+        pack:bool=false)
+  {
+  union isfuzzy=true
+    vimAlertEventEmpty,
+    vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),
+    vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
+  };
+  parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)
diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml
new file mode 100644
index 00000000000..181123941e7
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml
@@ -0,0 +1,129 @@
+Parser:
+  Title: Alert Event ASIM schema function
+  Version: '0.1.0'
+  LastUpdated: Oct 18 2024
+Product:
+  Name: Microsoft
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This function returns an empty ASIM Dhcp Event schema.
+ParserName: vimAlertEventEmpty
+EquivalentBuiltInParser: _Im_AlertEvent_Empty
+ParserQuery: |
+  let EmptyAlertEvents =datatable (
+    TimeGenerated:datetime
+  , _ResourceId:string
+  , Type:string
+  // ****** Event fields ******
+  , AdditionalFields:dynamic
+  , EventCount:int
+  , EventType:string
+  , EventProduct:string
+  , EventProductVersion:string
+  , EvenMessage:string
+  , EventVendor:string
+  , EventSchema:string
+  , EventSchemaVersion:string
+  , EventSeverity:string
+  , EventOriginalSeverity:string
+  , EventSubType:string
+  , EventOriginalUid:string
+  , EventOwner:string
+  , EventOriginalType:string
+  , EventOriginalSubType:string
+  , EventEndTime:datetime
+  , EventReportUrl:string
+  , EventResult:string
+  , EventStartTime:datetime
+  , EventUid:string
+  //****** Device fields ******
+  , DvcAction:string
+  , DvcDescription:string
+  , DvcId:string
+  , DvcIdType:string
+  , DvcInterface:string
+  , DvcHostname:string
+  , DvcDomain:string
+  , DvcDomainType:string
+  , DvcIpAddr:string
+  , DvcOs:string
+  , DvcOsVersion:string
+  , DvcMacAddr:string
+  , DvcOriginalAction:string
+  , DvcScope:string
+  , DvcScopeId:string
+  , DvcFQDN:string
+  , DvcZone:string
+  //****** Inspection fields ******
+  , AlertId:string
+  , AlertName:string
+  , AlertDescription:string
+  , AlertStatus:string
+  , AlertOriginalStatus:string
+  , AlertVerdict:string
+  , AttackTactics:string
+  , AttackTechniques:string
+  , AttackRemediationSteps:string
+  , IndicatorType:string
+  , IndicatorAssociation:string
+  , DetectionMethod:string
+  , Rule: string
+  , RuleNumber:int
+  , RuleName:string
+  , RuleDescription:string
+  , ThreatId:string
+  , ThreatName:string
+  , ThreatFirstReportedTime:datetime
+  , ThreatLastReportedTime:datetime
+  , ThreatCategory:string
+  , ThreatOriginalCategory:string
+  , ThreatIsActive:bool
+  , ThreatRiskLevel:int
+  , ThreatOriginalRiskLevel:string
+  , ThreatConfidence:int
+  , ThreatOriginalConfidence:string
+  //****** Source User fields ******
+  , UserId:string
+  , UserTdType:string
+  , Username:string
+  , UsernameType:string
+  , UserType:string
+  , OriginalUserType:string
+  , SessionId:string
+  , UserScopeId:string
+  , UserScope:string
+  //****** Process fields ******
+  , ProcessId:string
+  , ProcessName:string
+  , ProcessCommandLine:string
+  , ProcessFileCompany:string
+  //****** File fields ******
+  , FileName:string
+  , FilePath:string
+  , FileSHA1:string
+  , FileMD5:string
+  , FileSHA256:string
+  , FileSize:int
+  //****** Registry fields ******
+  , RegistryKey:string
+  , RegistryValue:string
+  , RegistryValueType:string
+  , RegistryValueData:string
+  //****** Email fields ******
+  , EmailSubject:string
+  , EmailMessageId:string
+  //****** Url fields ******
+  , Url:string
+  //****** Aliases ******
+  , IpAddr:string
+  , Hostname:string
+  , User:string
+  )[];
+  EmptyAlertEvents
\ No newline at end of file
diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml
new file mode 100644
index 00000000000..b494510f4cf
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml
@@ -0,0 +1,275 @@
+Parser:
+  Title: Alert Event ASIM filtering parser for Microsoft Defender XDR
+  Version: '0.1.0'
+  LastUpdated: Oct 09, 2024
+Product:
+  Name: Microsoft Defender XDR
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing and filtering the Microsoft Defender XDR logs to the ASIM Alert normalized schema.
+ParserName: vimAlertEventMicrosoftDefenderXDR
+EquivalentBuiltInParser: _Im_AlertEvent_MicrosoftDefenderXDR
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: username_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktactics_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktechniques_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: threatcategory_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: alertverdict_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventseverity_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+     let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)
+          [
+          "User", "User",
+          "Machine", "Host",
+          "Process", "Process",
+          "File", "File",
+          "Ip", "Ip",
+          "Url", "Url",
+          "RegistryValue", "Registry",
+          "CloudLogonSession", "LogonSession",
+          "CloudApplication", "Application",
+          "Mailbox", "Mailbox",
+          "MailMessage", "Email",
+          "CloudResource", "Cloud Resource"
+      ];
+      let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)
+          [
+          "Related", "Associated",
+          "Impacted", "Targeted"
+      ];
+      let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)
+          [
+          "ExpandString", "Reg_Expand_Sz"
+      ];
+      let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)
+          [
+          "Malicious", "True Positive",
+          "Suspicious", "True Positive",
+          "NoThreatsFound", "Benign Positive"
+      ];
+      let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]);
+      let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]);
+      let parser = (
+          starttime: datetime=datetime(null), 
+          endtime: datetime=datetime(null), 
+          ipaddr_has_any_prefix: dynamic=dynamic([]),
+          hostname_has_any: dynamic=dynamic([]),
+          username_has_any: dynamic=dynamic([]),
+          attacktactics_has_any: dynamic=dynamic([]),
+          attacktechniques_has_any: dynamic=dynamic([]),
+          threatcategory_has_any: dynamic=dynamic([]),
+          alertverdict_has_any: dynamic=dynamic([]),
+          eventseverity_has_any: dynamic=dynamic([]),
+          disabled: bool=false) {
+          AlertEvidence
+          | where not(disabled)
+          | where (isnull(starttime) or TimeGenerated >= starttime)
+              and (isnull(endtime) or TimeGenerated <= endtime)
+              and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))
+              and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))
+              and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))
+              and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))
+              and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))
+              // ThreatCategory filtering done later in the parser
+              // AlertVerdict filtering done later in the parser
+              and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.
+          // Mapping Inspection Fields
+          | extend 
+              EventUid = AlertId,
+              AlertName = Title,
+              AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),
+              AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),
+              AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""),
+              AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),
+              AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""),
+              DetectionMethod = DetectionSource
+          | lookup AlertVerdictLookup on AlertVerdict_Custom
+          // Filter for AlertVerdict
+          | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))
+          | lookup IndicatorTypeLookup on EntityType
+          | lookup IndicatorAssociationLookup on EvidenceRole
+          // Mapping Threat Fields
+          | extend
+              ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "")
+          // Filter for ThreatCategory
+          | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))
+          // Mapping User Entity
+          | extend 
+              UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),
+              UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),
+              Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),
+              UserSessionId = tostring(AdditionalFields.SessionId),
+              UserScopeId = tostring(AdditionalFields.AadTenantId),
+              HttpUserAgent_s = tostring(AdditionalFields.UserAgent)
+          | extend
+              UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")),
+              UserId = coalesce(UserId, UserSid),
+              UserType = _ASIM_GetUserType(Username, UserSid),
+              UsernameType = _ASIM_GetUsernameType(Username)
+          // Mapping Device Entity
+          | extend 
+              DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),
+              DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),
+              DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),
+              DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),
+              DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),
+              DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2])))
+          | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "")
+          | invoke _ASIM_ResolveDvcFQDN("DeviceName")
+          // Mapping Additional Fields
+          | extend
+              GeoCity_s = AdditionalFields.Location.City,
+              GeoCountry_s = AdditionalFields.Location.CountryCode,
+              GeoLatitude_s = AdditionalFields.Location.Latitude,
+              GeoLongitude_s = AdditionalFields.Location.Longitude,
+              GeoRegion_s = AdditionalFields.Location.State
+          // Mapping Process Entity
+          | extend 
+              ProcessId = AdditionalFields.ProcessId,
+              ProcessCommandLine,
+              ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""),
+              ProcessFileCompany = AdditionalFields.Publisher,
+              // Parent Process Fields
+              ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,
+              ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,
+              ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""),
+              ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,
+              ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,
+              ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5
+          // Mapping File Entity
+          | extend 
+              FileName,
+              FileDirectory = FolderPath,
+              FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName),
+              FileSHA1 = SHA1,
+              FileSHA256 = SHA256,
+              FileMD5 = AdditionalFields.FileHashes[1].Value,
+              FileSize = FileSize
+          // Mapping Url Entity
+          | extend 
+              Url = RemoteUrl
+          // Mapping Registry Entity
+          | extend 
+              RegistryKey,
+              RegistryValue = RegistryValueName,
+              RegistryValueData,
+              ValueType = tostring(AdditionalFields.ValueType)
+          | lookup RegistryValueTypeLookup on ValueType
+          // Mapping Application Entity
+          | extend 
+              AppId_s = ApplicationId,
+              AppName_s = Application
+          // Mapping Email Entity
+          | extend 
+              EmailMessageId = NetworkMessageId,
+              EmailSubject
+          | extend AdditionalFields = bag_pack(
+                                      "AlertVerdictDate",
+                                      AlertVerdictDate_s,
+                                      "HttpUserAgent",
+                                      HttpUserAgent_s,
+                                      "GeoCity",
+                                      GeoCity_s,
+                                      "GeoCountry",
+                                      GeoCountry_s,
+                                      "GeoLatitude",
+                                      GeoLatitude_s,
+                                      "GeoLongitude",
+                                      GeoLongitude_s,
+                                      "GeoRegion",
+                                      GeoRegion_s,
+                                      "ParentProcessId",
+                                      ParentProcessId_s,
+                                      "ParentProcessCommandLine",
+                                      ParentProcessCommandLine_s,
+                                      "ParentProcessName",
+                                      ParentProcessName_s,
+                                      "ParentProcessSHA256",
+                                      ParentProcessSHA256_s,
+                                      "ParentProcessMD5",
+                                      ParentProcessMD5_s
+                                  )
+          // Mapping common event fields
+          | extend
+              EventSubType = "Threat", // All events in AlertEvidence contains threat info
+              EventEndTime = TimeGenerated,
+              EventStartTime = TimeGenerated,
+              EventProduct = ServiceSource,
+              EventVendor = 'Microsoft',
+              EventSchema = 'AlertEvent',
+              EventSchemaVersion = '0.1',
+              EventType = 'Alert',
+              EventCount = int(1)
+          // MApping Alias
+          | extend 
+              IpAddr = DvcIpAddr,
+              Hostname = DvcHostname,
+              User = Username
+          | project-away
+              Title,
+              Categories,
+              EntityType,
+              EvidenceRole,
+              DetectionSource,
+              ServiceSource,
+              ThreatFamily,
+              RemoteIP,
+              RemoteUrl,
+              AccountName,
+              AccountDomain,
+              DeviceName,
+              LocalIP,
+              AlertVerdict_Custom,
+              EvidenceDirection,
+              Account*,
+              ApplicationId,
+              Application,
+              *_s
+      };
+      parser(
+          starttime = starttime, 
+          endtime = endtime, 
+          ipaddr_has_any_prefix = ipaddr_has_any_prefix,
+          hostname_has_any = hostname_has_any,
+          username_has_any = username_has_any,
+          attacktactics_has_any = attacktactics_has_any,
+          attacktechniques_has_any = attacktechniques_has_any,
+          threatcategory_has_any = threatcategory_has_any,
+          alertverdict_has_any = alertverdict_has_any,
+          eventseverity_has_any = eventseverity_has_any,
+          disabled = disabled
+      )
diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml
new file mode 100644
index 00000000000..564c4d88696
--- /dev/null
+++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml
@@ -0,0 +1,176 @@
+Parser:
+  Title: Alert Event ASIM filtering parser for SentinelOne Singularity platform
+  Version: '0.1.0'
+  LastUpdated: Oct 09, 2024
+Product:
+  Name: SentinelOne
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing and filtering the SentinelOne alerts to the ASIM Alert normalized schema.
+ParserName: vimAlertEventSentinelOneSingularity
+EquivalentBuiltInParser: _Im_AlertEvent_SentinelOneSingularity
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: username_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktactics_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktechniques_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: threatcategory_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: alertverdict_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventseverity_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)
+    [
+    "Undefined", "Unknown",
+    "true_positive", "True Positive",
+    "suspicious", "True Positive",
+    "false_positive", "False Positive"
+  ];
+  let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]);
+  let DetectionMethodLookup = datatable (
+      threatInfo_engines_s: string,
+      DetectionMethod: string
+  )
+      [
+      "Intrusion Detection", "Intrusion Detection",
+      "User-Defined Blocklist", "User Defined Blocked List",
+      "Reputation", "Reputation"
+  ];
+  let parser = (starttime: datetime=datetime(null), 
+      endtime: datetime=datetime(null), 
+      ipaddr_has_any_prefix: dynamic=dynamic([]),
+      hostname_has_any: dynamic=dynamic([]),
+      username_has_any: dynamic=dynamic([]),
+      attacktactics_has_any: dynamic=dynamic([]),
+      attacktechniques_has_any: dynamic=dynamic([]),
+      threatcategory_has_any: dynamic=dynamic([]),
+      alertverdict_has_any: dynamic=dynamic([]),
+      eventseverity_has_any: dynamic=dynamic([]),
+      disabled: bool=false) {
+      SentinelOne_CL
+      | where not(disabled)
+      | where event_name_s in ("Threats.")
+      | where (isnull(starttime) or TimeGenerated >= starttime)
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))
+          and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))
+          //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))
+          and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))
+          and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))
+          // ThreatCategory filtering done later in the parser
+          // AlertVerdict filtering done later in the parser
+          and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source
+      // Mapping Inspection Fields
+      | extend 
+          AlertId = threatInfo_threatId_s,
+          AlertName = threatInfo_threatName_s,
+          AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"),
+          AlertOriginalStatus = threatInfo_incidentStatus_s,
+          Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s),
+          ThreatId = threatInfo_threatId_s,
+          ThreatName = threatInfo_threatName_s,
+          ThreatFirstReportedTime = threatInfo_identifiedAt_t,
+          ThreatLastReportedTime = threatInfo_updatedAt_t,
+          ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""),
+          ThreatOriginalCategory = threatInfo_classification_s
+      // Filter for ThreatCategory
+      | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))
+      | extend
+          AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))),
+          AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names)))
+      | project-away Names
+      | lookup DetectionMethodLookup on threatInfo_engines_s
+      | extend analystVerdict_s = threatInfo_analystVerdict_s
+      | lookup AlertVerdictLookup on analystVerdict_s
+      // Filter for AlertVerdict
+      | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))
+      // Mapping Dvc Fields
+      | extend 
+          DvcHostname = agentRealtimeInfo_agentComputerName_s,
+          DvcOs =  agentRealtimeInfo_agentOsName_s,
+          DvcOsVersion =  agentRealtimeInfo_agentOsRevision_s,
+          DvcId =  agentRealtimeInfo_agentId_s,
+          DvcIdType = "Other",
+          DvcDomain = agentRealtimeInfo_agentDomain_s,
+          DvcDomainType = "Windows",
+          DvcIpAddr = agentDetectionInfo_agentIpV4_s
+      // Mapping Process Entity
+      | extend
+          ProcessCommandLine = threatInfo_maliciousProcessArguments_s,
+          ProcessName = threatInfo_originatorProcess_s
+      // Mapping File Fields
+      | extend 
+          FileMD5 = threatInfo_md5_g,
+          FileSHA1 = threatInfo_sha1_s,
+          FileSHA256 = threatInfo_sha256_s,
+          FilePath=threatInfo_filePath_s,
+          FileSize = threatInfo_fileSize_d
+      // Mapping User Fields
+        | extend 
+            Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)
+      | extend UsernameType = _ASIM_GetUsernameType(Username)
+      // Event Fields
+      | extend
+          EventType = 'Alert',
+          EventOriginalType = event_name_s,
+          EventUid = threatInfo_threatId_s,
+          EventCount = int(1),
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventProduct = 'Singularity',
+          EventVendor = 'SentinelOne',
+          EventSchemaVersion = '0.1',
+          EventSchema = "AlertEvent"
+      | extend EventSubType = "Threat"
+      // Aliases
+      | extend
+          IpAddr = DvcIpAddr,
+          User = Username,
+          Hostname = DvcHostname
+      | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d
+  };
+  parser (
+      starttime = starttime, 
+      endtime = endtime, 
+      ipaddr_has_any_prefix = ipaddr_has_any_prefix,
+      hostname_has_any = hostname_has_any,
+      username_has_any = username_has_any,
+      attacktactics_has_any = attacktactics_has_any,
+      attacktechniques_has_any = attacktechniques_has_any,
+      threatcategory_has_any = threatcategory_has_any,
+      alertverdict_has_any = alertverdict_has_any,
+      eventseverity_has_any = eventseverity_has_any,
+      disabled = disabled
+  )
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
index c0911648d32..0b1cc1884d1 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthentication",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n  ASimAuthenticationIllumioSaaSCore  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))\n",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json
new file mode 100644
index 00000000000..530d73876eb
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuthenticationIllumioSaaSCore",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Authentication ASIM parser for Illumio SaaS Core",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAuthenticationIllumioSaaSCore",
+            "query": "let EventTypeLookup = datatable(\n    event_type: string, // what Illumio sends\n    EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n    EventResultDetails: string,\n    EventResult: string\n)\n[\n    'user.authenticate', 'Logon', 'Other', 'Success',\n    'user.login', 'Logon', 'Other', 'Success',\n    'user.logout', 'Logoff', 'Other', 'Success',\n    'user.sign_in', 'Logon', 'Other', 'Success',\n    'user.sign_out', 'Logoff', 'Other', 'Success',\n    'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);\nlet parser=(disabled: bool=false) {\n  Illumio_Auditable_Events_CL\n  | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n  | extend \n        EventProduct='Core'\n        ,\n        EventVendor='Illumio'\n        ,\n        EventSchema = 'Authentication'\n        ,\n        EventCount=int(1)\n        ,\n        EventSchemaVersion='0.1.3'\n        ,    \n        EventOriginalUid = href\n  | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n  | extend              \n          EventStartTime=TimeGenerated\n          ,\n          EventEndTime=TimeGenerated\n          ,                            \n          TargetUsername = case(                  \n              isnotnull(created_by.user), created_by.user.username,                  \n              \"Unknown\"\n          ),\n          TargetUsernameType = \"Simple\",\n          EventUid = _ItemId,\n          SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n      // ** Aliases\n      | extend \n          Dvc=EventVendor\n          ,\n          IpAddr=SrcIpAddr\n          ,\n          User = TargetUsername\n      | project-away               \n          TenantId,\n          href,\n          pce_fqdn,\n          created_by,\n          event_type,\n          status,\n          severity,\n          action,\n          resource_changes,\n          notifications,\n          version              \n  };\n  parser(disabled = disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md
new file mode 100644
index 00000000000..88fc55eabe8
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md
@@ -0,0 +1,18 @@
+# Illumio ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Illumio.
+
+This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. 
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationIllumioSaaSCore%2FASimAuthenticationIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationIllumioSaaSCore%2FASimAuthenticationIllumioSaaSCore.json)
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
index b5a1546bf08..262519b8e67 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser for Windows Security Events",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent",
-            "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n    2, 'Interactive',\n    3, 'Network',\n    4, 'Batch',\n    5, 'Service',\n    7, 'Unlock',\n    8, 'NetworkCleartext',\n    9, 'NewCredentials',\n    10, 'RemoteInteractive',\n    11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n    (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n    '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n    '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n    '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n    '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n    '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n    '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n    '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n    '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n    '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n    '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n    '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n    '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n    '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n    '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n    '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n    '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n    '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n    '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n    '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n    '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n    '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n    '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n    '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n    '0xc0000017', 'STATUS_NO_MEMORY','Other',\n    '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n    '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n    '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n    '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n    '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n    '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n    '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n    '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n    '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n    '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n    '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n    '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n    '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n    '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n    '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n    '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n    '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\nlet WinLogon=(disabled:bool=false){ \n    WindowsEvent \n    | where not(disabled)\n    | where Provider == 'Microsoft-Windows-Security-Auditing'\n    | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n    | extend    \n        ActingProcessCreationTime = EventData.ProcessCreationTime,\n        ActingProcessId           = tostring(toint(EventData.ProcessId)),\n        ActingProcessName         = tostring(EventData.ProcessName),\n        ActorSessionId            = tostring(EventData.SubjectLogonId),\n        ActorUserId               = tostring(EventData.SubjectUserSid),\n        ActorUsername             = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n        EventProduct              = \"Security Events\",\n        LogonGuid                 = tostring(EventData.LogonGuid),\n        LogonProtocol             = tostring(EventData.AuthenticationPackageName),\n        LogonType                 = toint(EventData.LogonType),\n        SrcDvcHostname            = tostring(EventData.WorkstationName),\n        SrcDvcIpAddr              = tostring(EventData.IpAddress),\n        Status                    = tostring(EventData.Status),\n        SubStatus                 = tostring(EventData.SubStatus),\n        TargetDomainName          = tostring(EventData.TargetDomainName),\n        TargetPortNumber          = toint(EventData.IpPort),\n        TargetSessionId           = tostring(EventData.TargetLogonId),\n        TargetUserId              = tostring(EventData.TargetUserSid),\n        TargetUsername            = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n    | extend \n        EventStatus = iff(SubStatus=='0x0',Status,SubStatus)\n    // -- creating EventMessage matching EventMessage in SecurityEvent table\n    | extend \n        EventMessage = case(\n                            EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n                            EventID == 4625, \"4625 - An account failed to log on.\",\n                            EventID == 4634, \"4634 - An account was logged off.\", \n                            \"4647 - User initiated logoff.\"),\n        EventResult = iff(EventID == 4625, 'Failure', 'Success')\n    | project-rename \n        EventOriginalType = EventID,\n        EventOriginalUid  = EventOriginId,   \n        EventUid          = _ItemId,       \n        TargetDvcHostname = Computer\n    | extend \n        ActorUserIdType    = 'SID',\n        ActorUsernameType  = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ),\n        EventCount         = int(1),\n        EventEndTime       = TimeGenerated,\n        EventSchemaVersion = '0.1.0',\n        EventStartTime     = TimeGenerated,\n        EventStatus        = iff(SubStatus=='0x0',Status,SubStatus),\n        EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n        EventVendor        = 'Microsoft',\n        SrcDvcOs           = 'Windows',\n        TargetUserIdType   = 'SID',\n        TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n    | extend\n        ActorUserType  = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n    | lookup LogonStatus on EventStatus\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        Dvc         = SrcDvcHostname,\n        LogonTarget = TargetDvcHostname,\n        User        = TargetUsername\n};\nlet SecEventLogon=(disabled:bool=false){\n  SecurityEvent \n  | where not(disabled)\n  | where EventID in (LogonEvents) or \n          EventID in (LogoffEvents)\n  | project-rename \n      ActorSessionId    = SubjectLogonId,\n      ActorUserId       = SubjectUserSid,\n      EventMessage      = Activity,\n      EventOriginalType = EventID,\n      EventOriginalUid  = EventOriginId,\n      LogonProtocol     = AuthenticationPackageName,\n      SrcDvcHostname    = WorkstationName,\n      SrcDvcIpAddr      = IpAddress,\n      TargetDvcHostname = Computer,\n      TargetSessionId   = TargetLogonId,\n      TargetUserId      = TargetUserSid\n  | extend \n      ActorUserIdType    = 'SID',\n      ActorUsername      = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount),\n      ActorUsernameType  = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ),\n      EventCount         = int(1),\n      EventEndTime       = TimeGenerated,\n      EventProduct       = \"Security Events\",\n      EventResult        = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n      EventSchemaVersion = '0.1.0',\n      EventStartTime     = TimeGenerated,\n      EventStatus        = iff(SubStatus=='0x0',Status,SubStatus),\n      EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n      EventVendor        = 'Microsoft',\n      SrcDvcOs           = 'Windows',\n      TargetUserIdType   = 'SID',\n      TargetUsername     = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount)),\n      TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n  | project-away TargetUserName, AccountType\n  | extend\n      ActorUserType      = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n      TargetUserType     = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n  | lookup LogonStatus on EventStatus\n  | lookup LogonTypes  on LogonType\n  /// ** Aliases \n  | extend\n      Dvc         = SrcDvcHostname,\n      LogonTarget = TargetDvcHostname,\n      User        = TargetUsername\n  };\nunion isfuzzy=true \n  SecEventLogon(disabled=disabled), \n  WinLogon(disabled=disabled)\n",
+            "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n    2, 'Interactive',\n    3, 'Remote',\n    4, 'System',\n    5, 'Service',\n    7, 'Interactive',\n    8, 'NetworkCleartext',\n    9, 'AssumeRole',\n    10, 'RemoteInteractive',\n    11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n    (\n    EventStatus: string,\n    EventOriginalResultDetails: string,\n    EventResultDetails: string\n)[\n    '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n    '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n    '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n    '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n    '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n    '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n    '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n    '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n    '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n    '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n    '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n    '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n    '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n    '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n    '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n    '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n    '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n    '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n    '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n    '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n    '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n    '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n    '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n    '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n    '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n    '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n    '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n    '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n    '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n    '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n    '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n    '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n    '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n    '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n    '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n    '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n    '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n    '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n    '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n    '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n    '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n    WindowsEvent \n    | where not(disabled)\n    | where Provider == 'Microsoft-Windows-Security-Auditing'\n    | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n    | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n    | extend    \n        ActingProcessCreationTime = EventData.ProcessCreationTime,\n        ActingProcessId           = tostring(toint(EventData.ProcessId)),\n        ActingProcessName         = tostring(EventData.ProcessName),\n        ActorSessionId            = tostring(EventData.SubjectLogonId),\n        ActorUserId               = tostring(EventData.SubjectUserSid),\n        ActorUsername             = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n        EventProduct              = \"Security Events\",\n        LogonGuid                 = tostring(EventData.LogonGuid),\n        LogonProtocol             = tostring(EventData.AuthenticationPackageName),\n        LogonType                 = toint(EventData.LogonType),\n        SrcHostname            = tostring(EventData.WorkstationName),\n        SrcIpAddr              = tostring(EventData.IpAddress),\n        Status                    = tostring(EventData.Status),\n        SubStatus                 = tostring(EventData.SubStatus),\n        TargetDomainName          = tostring(EventData.TargetDomainName),\n        TargetPortNumber          = toint(EventData.IpPort),\n        TargetSessionId           = tostring(EventData.TargetLogonId),\n        TargetUserId              = tostring(EventData.TargetUserSid),\n        TargetUsername            = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n    | extend \n        EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n    // -- creating EventMessage matching EventMessage in SecurityEvent table\n    | extend \n        EventMessage = case(\n                  EventID == 4624,\n                  \"4624 - An account was successfully logged on.\",\n                  EventID == 4625,\n                  \"4625 - An account failed to log on.\",\n                  EventID == 4634,\n                  \"4634 - An account was logged off.\", \n                  \"4647 - User initiated logoff.\"\n              ),\n        EventResult = iff(EventID == 4625, 'Failure', 'Success')\n    | project-rename \n        EventOriginalType = EventID,\n        EventOriginalUid  = EventOriginId,   \n        EventUid          = _ItemId,       \n        TargetDvcHostname = Computer\n    | extend \n        ActorUserIdType    = 'SID',\n        ActorUsernameType  = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n        EventCount         = int(1),\n        EventEndTime       = TimeGenerated,\n        EventSchema        = 'Authentication',\n        EventSchemaVersion = '0.1.3',\n        EventStartTime     = TimeGenerated,\n        EventStatus        = iff(SubStatus == '0x0', Status, SubStatus),\n        EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n        EventVendor        = 'Microsoft',\n        SrcDvcOs           = 'Windows',\n        TargetUserIdType   = 'SID',\n        TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n    | extend\n        ActorUserType  = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n        EventOriginalType = tostring(EventOriginalType)\n    | lookup LogonStatus on EventStatus\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        Dvc         = SrcHostname,\n        LogonTarget = TargetDvcHostname,\n        User        = TargetUsername,\n        IpAddr   = SrcIpAddr\n    | project-away\n        EventData,\n        LogonGuid,\n        EventStatus,\n        LogonType,\n        Status,\n        SubStatus,\n        TargetDomainName,\n        TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n    SecurityEvent \n    | where not(disabled)\n    | where EventID in (LogonEvents) or \n        EventID in (LogoffEvents)\n    | project\n        SubjectLogonId,\n        SubjectUserSid,\n        Activity,\n        EventID,\n        EventOriginId,\n        AuthenticationPackageName,\n        WorkstationName,\n        IpAddress,\n        Computer,\n        TargetLogonId,\n        TargetUserSid,\n        SubjectDomainName,\n        SubjectUserName,\n        SubjectAccount,\n        TimeGenerated,\n        SubStatus,\n        TargetDomainName,\n        TargetUserName,\n        AccountType,\n        TargetAccount,\n        Status,\n        LogonType,\n        Type\n    | project-rename \n        ActorSessionId    = SubjectLogonId,\n        ActorUserId       = SubjectUserSid,\n        EventMessage      = Activity,\n        EventOriginalType = EventID,\n        EventOriginalUid  = EventOriginId,\n        LogonProtocol     = AuthenticationPackageName,\n        SrcHostname    = WorkstationName,\n        SrcIpAddr      = IpAddress,\n        TargetDvcHostname = Computer,\n        TargetSessionId   = TargetLogonId,\n        TargetUserId      = TargetUserSid\n    | extend \n        ActorUserIdType    = 'SID',\n        ActorUsername      = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n        ActorUsernameType  = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n        EventCount         = int(1),\n        EventEndTime       = TimeGenerated,\n        EventProduct       = \"Security Events\",\n        EventResult        = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n        EventSchema        = 'Authentication',\n        EventSchemaVersion = '0.1.0',\n        EventStartTime     = TimeGenerated,\n        EventStatus        = iff(SubStatus == '0x0', Status, SubStatus),\n        EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n        EventVendor        = 'Microsoft',\n        SrcDvcOs           = 'Windows',\n        TargetUserIdType   = 'SID',\n        TargetUsername     = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n        TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n    | project-away TargetUserName, AccountType\n    | extend\n        ActorUserType      = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n        TargetUserType     = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n        EventOriginalType  = tostring(EventOriginalType)\n    | lookup LogonStatus on EventStatus\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        Dvc         = SrcHostname,\n        LogonTarget = TargetDvcHostname,\n        User        = TargetUsername,\n        IpAddr   = SrcIpAddr\n    | project-away\n        EventStatus,\n        LogonType,\n        Status,\n        SubStatus,\n        SubjectAccount,\n        SubjectDomainName,\n        SubjectUserName,\n        EventStatus,\n        TargetAccount,\n        TargetDomainName,\n        TargetDvcHostname\n};\nunion isfuzzy=true \n    SecEventLogon(disabled=disabled), \n    WinLogon(disabled=disabled)",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }
diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
index 44182cceee9..91294129c1f 100644
--- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
@@ -278,6 +278,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuthenticationIllumioSaaSCore",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -838,6 +858,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationIllumioSaaSCore",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
index 491e586aa80..9646a038b0e 100644
--- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM filtering parser",
             "category": "ASIM",
             "FunctionAlias": "imAuthentication",
-            "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n  let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n  let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n  union isfuzzy=true\n    vimAuthenticationEmpty\n    , vimAuthenticationAADManagedIdentitySignInLogs   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs'      in (DisabledParsers) )))\n    , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs'   in (DisabledParsers) )))\n    , vimAuthenticationAADServicePrincipalSignInLogs  (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs'     in (DisabledParsers) )))\n    , vimAuthenticationSigninLogs                     (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs'                        in (DisabledParsers) )))\n    , vimAuthenticationAWSCloudTrail                  (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail'                     in (DisabledParsers) )))\n    , vimAuthenticationOktaSSO                        (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO'                           in (DisabledParsers) )))\n    , vimAuthenticationOktaV2                        (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2'                           in (DisabledParsers) )))\n    , vimAuthenticationM365Defender                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender'                      in (DisabledParsers) )))\n    , vimAuthenticationMicrosoftWindowsEvent          (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent'             in (DisabledParsers) )))\n    , vimAuthenticationMD4IoT                         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT'                            in (DisabledParsers) )))\n    , vimAuthenticationPostgreSQL                     (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL'                        in (DisabledParsers) )))\n    , vimAuthenticationSshd                           (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n    , vimAuthenticationSu                             (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n    , vimAuthenticationSudo                           (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n    , vimAuthenticationCiscoASA                       (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n    , vimAuthenticationCiscoMeraki                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n    , vimAuthenticationCiscoMerakiSyslog                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n    , vimAuthenticationCiscoISE                       (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n    , vimAuthenticationBarracudaWAF                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n    , vimAuthenticationVectraXDRAudit                 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n    , vimAuthenticationGoogleWorkspace                (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n    , vimAuthenticationSalesforceSC                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n    , vimAuthenticationPaloAltoCortexDataLake         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n    , vimAuthenticationSentinelOne                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n    , vimAuthenticationCrowdStrikeFalconHost          (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n    , vimAuthenticationVMwareCarbonBlackCloud         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n",
+            "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n  let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n  let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n  union isfuzzy=true\n    vimAuthenticationEmpty\n    , vimAuthenticationAADManagedIdentitySignInLogs   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs'      in (DisabledParsers) )))\n    , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs'   in (DisabledParsers) )))\n    , vimAuthenticationAADServicePrincipalSignInLogs  (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs'     in (DisabledParsers) )))\n    , vimAuthenticationSigninLogs                     (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs'                        in (DisabledParsers) )))\n    , vimAuthenticationAWSCloudTrail                  (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail'                     in (DisabledParsers) )))\n    , vimAuthenticationOktaSSO                        (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO'                           in (DisabledParsers) )))\n    , vimAuthenticationOktaV2                        (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2'                           in (DisabledParsers) )))\n    , vimAuthenticationM365Defender                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender'                      in (DisabledParsers) )))\n    , vimAuthenticationMicrosoftWindowsEvent          (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent'             in (DisabledParsers) )))\n    , vimAuthenticationMD4IoT                         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT'                            in (DisabledParsers) )))\n    , vimAuthenticationPostgreSQL                     (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL'                        in (DisabledParsers) )))\n    , vimAuthenticationSshd                           (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n    , vimAuthenticationSu                             (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n    , vimAuthenticationSudo                           (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n    , vimAuthenticationCiscoASA                       (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n    , vimAuthenticationCiscoMeraki                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n    , vimAuthenticationCiscoMerakiSyslog                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n    , vimAuthenticationCiscoISE                       (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n    , vimAuthenticationBarracudaWAF                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n    , vimAuthenticationVectraXDRAudit                 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n    , vimAuthenticationGoogleWorkspace                (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n    , vimAuthenticationSalesforceSC                   (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n    , vimAuthenticationPaloAltoCortexDataLake         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n    , vimAuthenticationSentinelOne                    (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n    , vimAuthenticationCrowdStrikeFalconHost          (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n    , vimAuthenticationVMwareCarbonBlackCloud         (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n    , vimAuthenticationIllumioSaaSCore                (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False"
           }
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md
new file mode 100644
index 00000000000..7d5aaee7882
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md
@@ -0,0 +1,18 @@
+# Illumio ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Illumio.
+
+This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. 
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationIllumioSaaSCore%2FvimAuthenticationIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationIllumioSaaSCore%2FvimAuthenticationIllumioSaaSCore.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json
new file mode 100644
index 00000000000..c3a8bace296
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationIllumioSaaSCore",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Authentication ASIM parser for Illumio SaaS Core",
+            "category": "ASIM",
+            "FunctionAlias": "vimAuthenticationIllumioSaaSCore",
+            "query": "let EventTypeLookup = datatable(\n    event_type: string, // what Illumio sends\n    EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n    EventResultDetails: string,\n    EventResult: string\n)\n[\n    'user.authenticate', 'Logon', 'Other', 'Success',\n    'user.login', 'Logon', 'Other', 'Success',\n    'user.logout', 'Logoff', 'Other', 'Success',\n    'user.sign_in', 'Logon', 'Other', 'Success',\n    'user.sign_out', 'Logoff', 'Other', 'Success',\n    'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);    \nlet parser=(\n    starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    username_has_any: dynamic = dynamic([]),\n    targetappname_has_any: dynamic = dynamic([]),\n    srcipaddr_has_any_prefix: dynamic = dynamic([]),\n    srchostname_has_any: dynamic = dynamic([]),\n    eventtype_in: dynamic = dynamic([]),\n    eventresultdetails_in: dynamic = dynamic([]),\n    eventresult: string = '*',\n    disabled: bool=false\n) {\n  Illumio_Auditable_Events_CL\n  | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n  | where\n      (isnull(starttime) or TimeGenerated >= starttime) \n      and (isnull(endtime) or TimeGenerated <= endtime) \n      and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n      and (array_length(srchostname_has_any) == 0)  // srchostname_has_any not available in source                    \n  | extend \n        EventProduct='Core'\n        ,\n        EventVendor='Illumio'\n        ,\n        EventSchema = 'Authentication'\n        ,\n        EventCount=int(1)\n        ,\n        EventSchemaVersion='0.1.3'    \n        ,\n        EventOriginalUid = href\n  | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n  | where\n      (eventresult == \"*\" or (EventResult == eventresult)) \n      and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n  | extend              \n        EventStartTime=TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        ,                            \n        TargetUsername = case(                  \n            isnotnull(created_by.user), created_by.user.username,                  \n            \"Unknown\"\n        ),\n        TargetUsernameType = \"Simple\",\n        EventUid = _ItemId,\n        SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)        \n  // * prefiltering            \n  | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n        and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n        and ((array_length(eventtype_in) == 0) or EventType has_any (eventtype_in))\n  // * prefiltering\n  // ** Aliases\n  | extend \n      Dvc=EventVendor\n      ,\n      IpAddr=SrcIpAddr\n      ,\n      User = TargetUsername\n  | project-away \n    TenantId,\n    href,\n    pce_fqdn,\n    created_by,\n    event_type,\n    status,\n    severity,\n    action,\n    resource_changes,\n    notifications,\n    version      \n  };\n  parser(starttime=starttime,\n        endtime=endtime,\n        username_has_any=username_has_any,\n        targetappname_has_any=targetappname_has_any,\n        srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n        srchostname_has_any=srchostname_has_any,\n        eventtype_in=eventtype_in,\n        eventresultdetails_in=eventresultdetails_in,\n        eventresult=eventresult,\n        disabled=disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
index 8a6b7608c5e..dc0930de85b 100644
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM filtering parser for Windows Security Events",
             "category": "ASIM",
             "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent",
-            "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n    2, 'Interactive',\n    3, 'Network',\n    4, 'Batch',\n    5, 'Service',\n    7, 'Unlock',\n    8, 'NetworkCleartext',\n    9, 'NewCredentials',\n    10, 'RemoteInteractive',\n    11, 'CachedInteractive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n    EventStatus: string,\n    EventOriginalResultDetails: string,\n    EventResultDetails: string\n)\n[\n    '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n    '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n    '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n    '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n    '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n    '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n    '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n    '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n    '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n    '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n    '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n    '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n    '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n    '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n    '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n    '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n    '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n    '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n    '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n    '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n    '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n    '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n    '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n    '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n    '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n    '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n    '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n    '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n    '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n    '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n    '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n    '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n    '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n    '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n    '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n    '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n    '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n    '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n    '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n    '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n    '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n    starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    username_has_any: dynamic = dynamic([]),\n    targetappname_has_any: dynamic = dynamic([]),\n    srcipaddr_has_any_prefix: dynamic = dynamic([]),\n    srchostname_has_any: dynamic = dynamic([]),\n    eventtype_in: dynamic = dynamic([]),\n    eventresultdetails_in: dynamic = dynamic([]),\n    eventresult: string = '*',\n    disabled: bool=false)\n{ \n    WindowsEvent\n    | where not(disabled)\n    // ************************************************************************* \n    //       <Prefilterring>\n    // *************************************************************************\n    | where \n        (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n        and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n        and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n        and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n    // eventtype_in filtering done later in the parser\n    // eventresultdetails_in filtering done later in the parser\n    // eventresult filtering done later in the parser\n    // ************************************************************************* \n    //       </Prefilterring>\n    // ************************************************************************* \n    | where Provider == 'Microsoft-Windows-Security-Auditing'\n    | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n    | extend\n        LogonProtocol = tostring(EventData.AuthenticationPackageName),\n        SrcDvcIpAddr = tostring(EventData.IpAddress), // Backword Compatibility. Will be removed by July 2024\n        SrcIpAddr = tostring(EventData.IpAddress),\n        TargetPortNumber = toint(EventData.IpPort),\n        LogonGuid = tostring(EventData.LogonGuid),\n        LogonType = toint(EventData.LogonType),\n        ActingProcessCreationTime = EventData.ProcessCreationTime,\n        ActingProcessId = tostring(toint(EventData.ProcessId)),\n        ActingProcessName = tostring(EventData.ProcessName),\n        Status = tostring(EventData.Status),\n        ActorSessionId = tostring(EventData.SubjectLogonId),\n        ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n        ActorUserId = tostring(EventData.SubjectUserSid),\n        SubStatus = tostring(EventData.SubStatus),\n        TargetDomainName = tostring(EventData.TargetDomainName),\n        TargetSessionId = tostring(EventData.TargetLogonId),\n        TargetUserId = tostring(EventData.TargetUserSid),\n        TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n    // mapping ASimMatchingUsername\n    | extend\n        temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n        ,\n        temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n    | extend ASimMatchingUsername = case\n                                (\n                                    array_length(username_has_any) == 0,\n                                    \"-\",\n                                    temp_isMatchTargetUsername and temp_isMatchActorUsername,\n                                    \"Both\",\n                                    temp_isMatchTargetUsername,\n                                    \"TargetUsername\",\n                                    temp_isMatchActorUsername,\n                                    \"ActorUsername\",\n                                    \"No match\"\n                                )\n    | extend \n        SrcDvcHostname = tostring(EventData.WorkstationName), // Backword Compatibility. Will be removed by July 2024\n        SrcHostname = tostring(EventData.WorkstationName),\n        EventProduct = \"Security Events\"\n    | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n    // -- creating EventMessage matching EventMessage in SecurityEvent table\n    | extend\n        EventMessage = case\n              (\n                  EventID == 4634,\n                  \"4634 - An account was logged off.\", \n                  EventID == 4625,\n                  \"4625 - An account failed to log on.\",\n                  EventID == 4624,\n                  \"4624 - An account was successfully logged on.\",\n                  \"4647 - User initiated logoff.\"\n              ),\n        EventResult = iff(EventID == 4625, 'Failure', 'Success')\n    // Filtering on 'eventresult' and 'username_has_any'\n    | where (eventresult == \"*\" or (EventResult == eventresult))\n        and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n    | project-rename \n        TargetDvcHostname = Computer\n        ,\n        EventOriginalUid = EventOriginId\n        ,\n        EventOriginalType=EventID\n    | extend\n        EventCount=int(1)\n        ,\n        EventSchemaVersion='0.1.3'\n        ,\n        ActorUserIdType='SID'\n        ,\n        TargetUserIdType='SID'\n        ,\n        EventVendor='Microsoft'  \n        ,\n        EventStartTime =TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        ,\n        EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')                  \n        ,\n        ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows')                  \n        ,\n        TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        SrcDvcOs = 'Windows'\n        ,\n        EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n    // filtering on 'eventtype_in'\n    | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n    | extend\n        ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n        ,\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n    | lookup LogonStatus on EventStatus\n    // filtering on 'eventresultdetails_in'\n    | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        User=TargetUsername\n        ,\n        LogonTarget=TargetDvcHostname\n        ,\n        Dvc=SrcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    username_has_any: dynamic = dynamic([]),\n    targetappname_has_any: dynamic = dynamic([]),\n    srcipaddr_has_any_prefix: dynamic = dynamic([]),\n    srchostname_has_any: dynamic = dynamic([]),\n    eventtype_in: dynamic = dynamic([]),\n    eventresultdetails_in: dynamic = dynamic([]),\n    eventresult: string = '*',\n    disabled: bool=false)\n{\n    SecurityEvent\n    | where not(disabled)\n    // ************************************************************************* \n    //       <Prefilterring>\n    // *************************************************************************\n    | where \n        (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n        and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n        and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n        and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n    // eventtype_in filtering done later in the parser\n    // eventresultdetails_in filtering done later in the parser\n    // eventresult filtering done later in the parser\n    // ************************************************************************* \n    //       </Prefilterring>\n    // ************************************************************************* \n    | where EventID in (LogonEvents) or \n        EventID in (LogoffEvents)\n    | project-rename \n        EventMessage = Activity\n        ,\n        ActorSessionId=SubjectLogonId\n        ,\n        TargetSessionId=TargetLogonId\n        ,\n        ActorUserId=SubjectUserSid\n        ,\n        TargetUserId =TargetUserSid\n        ,\n        SrcDvcHostname = WorkstationName // Backword Compatibility. Will be removed by July 2024\n        ,\n        TargetDvcHostname = Computer\n        ,\n        EventOriginalUid = EventOriginId\n        ,\n        LogonProtocol=AuthenticationPackageName\n        ,\n        SrcDvcIpAddr=IpAddress // Backword Compatibility. Will be removed by July 2024\n        ,\n        EventOriginalType=EventID\n    | extend\n        EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n        ,\n        EventCount=int(1)\n        ,\n        EventSchemaVersion='0.1.0'\n        ,\n        EventProduct = \"Security Events\"\n        ,\n        ActorUserIdType='SID'\n        ,\n        TargetUserIdType='SID'\n        ,\n        EventVendor='Microsoft' \n        ,\n        EventStartTime =TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        ,\n        EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n        ,\n        ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n        ,\n        ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n        ,\n        TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        SrcDvcOs = 'Windows'\n        ,\n        EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n        ,\n        SrcHostname = SrcDvcHostname // Backword Compatibility. Will be removed by July 2024\n        ,\n        SrcIpAddr = SrcDvcIpAddr // Backword Compatibility. Will be removed by July 2024\n    // mapping ASimMatchingUsername\n    | extend\n        temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n        ,\n        temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n    | extend ASimMatchingUsername = case\n                                (\n                                    array_length(username_has_any) == 0,\n                                    \"-\",\n                                    temp_isMatchTargetUsername and temp_isMatchActorUsername,\n                                    \"Both\",\n                                    temp_isMatchTargetUsername,\n                                    \"TargetUsername\",\n                                    temp_isMatchActorUsername,\n                                    \"ActorUsername\",\n                                    \"No match\"\n                                )\n    // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n    | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n        and (eventresult == \"*\" or (EventResult == eventresult))\n        and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n    | project-away TargetUserName, AccountType\n    | extend\n        ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n        ,\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n    | lookup LogonStatus on EventStatus\n    // filtering on 'eventresultdetails_in'\n    | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        User=TargetUsername\n        ,\n        LogonTarget=TargetDvcHostname\n        ,\n        Dvc=SrcDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n              ,    WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n",
+            "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n    2, 'Interactive',\n    3, 'Remote',\n    4, 'System',\n    5, 'Service',\n    7, 'Interactive',\n    8, 'NetworkCleartext',\n    9, 'AssumeRole',\n    10, 'RemoteInteractive',\n    11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n    EventStatus: string,\n    EventOriginalResultDetails: string,\n    EventResultDetails: string\n)\n[\n    '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n    '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n    '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n    '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n    '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n    '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n    '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n    '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n    '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n    '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n    '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n    '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n    '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n    '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n    '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n    '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n    '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n    '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n    '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n    '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n    '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n    '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n    '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n    '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n    '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n    '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n    '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n    '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n    '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n    '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n    '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n    '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n    '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n    '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n    '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n    '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n    '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n    '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n    '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n    '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n    '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n    starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    username_has_any: dynamic = dynamic([]),\n    targetappname_has_any: dynamic = dynamic([]),\n    srcipaddr_has_any_prefix: dynamic = dynamic([]),\n    srchostname_has_any: dynamic = dynamic([]),\n    eventtype_in: dynamic = dynamic([]),\n    eventresultdetails_in: dynamic = dynamic([]),\n    eventresult: string = '*',\n    disabled: bool=false)\n{ \n    WindowsEvent\n    | where not(disabled)\n    // ************************************************************************* \n    //       <Prefilterring>\n    // *************************************************************************\n    | where \n        (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n        and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n        and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n        and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n    // eventtype_in filtering done later in the parser\n    // eventresultdetails_in filtering done later in the parser\n    // eventresult filtering done later in the parser\n    // ************************************************************************* \n    //       </Prefilterring>\n    // ************************************************************************* \n    | where Provider == 'Microsoft-Windows-Security-Auditing'\n    | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n    | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n    | extend\n        LogonProtocol = tostring(EventData.AuthenticationPackageName),\n        SrcIpAddr = tostring(EventData.IpAddress),\n        TargetPortNumber = toint(EventData.IpPort),\n        LogonGuid = tostring(EventData.LogonGuid),\n        LogonType = toint(EventData.LogonType),\n        ActingProcessCreationTime = EventData.ProcessCreationTime,\n        ActingProcessId = tostring(toint(EventData.ProcessId)),\n        ActingProcessName = tostring(EventData.ProcessName),\n        Status = tostring(EventData.Status),\n        ActorSessionId = tostring(EventData.SubjectLogonId),\n        ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n        ActorUserId = tostring(EventData.SubjectUserSid),\n        SubStatus = tostring(EventData.SubStatus),\n        TargetDomainName = tostring(EventData.TargetDomainName),\n        TargetSessionId = tostring(EventData.TargetLogonId),\n        TargetUserId = tostring(EventData.TargetUserSid),\n        TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n    // mapping ASimMatchingUsername\n    | extend\n        temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n        ,\n        temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n    | extend ASimMatchingUsername = case\n                                (\n                                    array_length(username_has_any) == 0,\n                                    \"-\",\n                                    temp_isMatchTargetUsername and temp_isMatchActorUsername,\n                                    \"Both\",\n                                    temp_isMatchTargetUsername,\n                                    \"TargetUsername\",\n                                    temp_isMatchActorUsername,\n                                    \"ActorUsername\",\n                                    \"No match\"\n                                )\n    | extend \n        SrcHostname = tostring(EventData.WorkstationName),\n        EventProduct = \"Security Events\"\n    | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n    // -- creating EventMessage matching EventMessage in SecurityEvent table\n    | extend\n        EventMessage = case\n              (\n                  EventID == 4634,\n                  \"4634 - An account was logged off.\", \n                  EventID == 4625,\n                  \"4625 - An account failed to log on.\",\n                  EventID == 4624,\n                  \"4624 - An account was successfully logged on.\",\n                  \"4647 - User initiated logoff.\"\n              ),\n        EventResult = iff(EventID == 4625, 'Failure', 'Success')\n    // Filtering on 'eventresult' and 'username_has_any'\n    | where (eventresult == \"*\" or (EventResult == eventresult))\n        and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n    | project-rename \n        TargetDvcHostname = Computer\n        ,\n        EventOriginalUid = EventOriginId\n        ,\n        EventOriginalType=EventID\n    | extend\n        EventCount=int(1)\n        ,\n        EventSchema = 'Authentication'\n        ,\n        EventSchemaVersion='0.1.3'\n        ,\n        ActorUserIdType='SID'\n        ,\n        TargetUserIdType='SID'\n        ,\n        EventVendor='Microsoft'  \n        ,\n        EventStartTime =TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        ,\n        EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')                  \n        ,\n        ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows')                  \n        ,\n        TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        SrcDvcOs = 'Windows'\n        ,\n        EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n    // filtering on 'eventtype_in'\n    | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n    | extend\n        ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n        ,\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n        ,\n        EventOriginalType = tostring(EventOriginalType)\n    | lookup LogonStatus on EventStatus\n    // filtering on 'eventresultdetails_in'\n    | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        User=TargetUsername\n        ,\n        LogonTarget=TargetDvcHostname\n        ,\n        Dvc=SrcHostname\n        ,\n        IpAddr=SrcIpAddr\n    | project-away\n        EventData,\n        LogonGuid,\n        EventStatus,\n        LogonType,\n        Status,\n        SubStatus,\n        TargetDomainName,\n        TargetDvcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    username_has_any: dynamic = dynamic([]),\n    targetappname_has_any: dynamic = dynamic([]),\n    srcipaddr_has_any_prefix: dynamic = dynamic([]),\n    srchostname_has_any: dynamic = dynamic([]),\n    eventtype_in: dynamic = dynamic([]),\n    eventresultdetails_in: dynamic = dynamic([]),\n    eventresult: string = '*',\n    disabled: bool=false)\n{\n    SecurityEvent\n    | where not(disabled)\n    // ************************************************************************* \n    //       <Prefilterring>\n    // *************************************************************************\n    | where \n        (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n        and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n        and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n        and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n    // eventtype_in filtering done later in the parser\n    // eventresultdetails_in filtering done later in the parser\n    // eventresult filtering done later in the parser\n    // ************************************************************************* \n    //       </Prefilterring>\n    // ************************************************************************* \n    | where EventID in (LogonEvents) or \n        EventID in (LogoffEvents)\n    | project\n        SubjectLogonId,\n        SubjectUserSid,\n        Activity,\n        EventID,\n        EventOriginId,\n        AuthenticationPackageName,\n        WorkstationName,\n        IpAddress,\n        Computer,\n        TargetLogonId,\n        TargetUserSid,\n        SubjectDomainName,\n        SubjectUserName,\n        SubjectAccount,\n        TimeGenerated,\n        SubStatus,\n        TargetDomainName,\n        TargetUserName,\n        AccountType,\n        TargetAccount,\n        Status,\n        LogonType,\n        Type\n    | project-rename \n        EventMessage = Activity\n        ,\n        ActorSessionId=SubjectLogonId\n        ,\n        TargetSessionId=TargetLogonId\n        ,\n        ActorUserId=SubjectUserSid\n        ,\n        TargetUserId =TargetUserSid\n        ,\n        SrcHostname = WorkstationName\n        ,\n        TargetDvcHostname = Computer\n        ,\n        EventOriginalUid = EventOriginId\n        ,\n        LogonProtocol=AuthenticationPackageName\n        ,\n        SrcIpAddr=IpAddress\n        ,\n        EventOriginalType=EventID\n    | extend\n        EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n        ,\n        EventCount=int(1)\n        ,\n        EventSchema = 'Authentication'\n        ,\n        EventSchemaVersion='0.1.3'\n        ,\n        EventProduct = \"Security Events\"\n        ,\n        ActorUserIdType='SID'\n        ,\n        TargetUserIdType='SID'\n        ,\n        EventVendor='Microsoft' \n        ,\n        EventStartTime =TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        ,\n        EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n        ,\n        ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n        ,\n        ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n        ,\n        TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n        ,\n        SrcDvcOs = 'Windows'\n        ,\n        EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n    // mapping ASimMatchingUsername\n    | extend\n        temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n        ,\n        temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n    | extend ASimMatchingUsername = case\n                                (\n                                    array_length(username_has_any) == 0,\n                                    \"-\",\n                                    temp_isMatchTargetUsername and temp_isMatchActorUsername,\n                                    \"Both\",\n                                    temp_isMatchTargetUsername,\n                                    \"TargetUsername\",\n                                    temp_isMatchActorUsername,\n                                    \"ActorUsername\",\n                                    \"No match\"\n                                )\n    // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n    | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n        and (eventresult == \"*\" or (EventResult == eventresult))\n        and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n    | project-away TargetUserName, AccountType\n    | extend\n        ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n        ,\n        TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n        ,\n        EventOriginalType = tostring(EventOriginalType)\n    | lookup LogonStatus on EventStatus\n    // filtering on 'eventresultdetails_in'\n    | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n    | lookup LogonTypes on LogonType\n    /// ** Aliases \n    | extend\n        User=TargetUsername\n        ,\n        LogonTarget=TargetDvcHostname\n        ,\n        Dvc=SrcHostname\n        ,\n        IpAddr=SrcIpAddr\n    | project-away\n        EventStatus,\n        LogonType,\n        Status,\n        SubStatus,\n        SubjectAccount,\n        SubjectDomainName,\n        SubjectUserName,\n        EventStatus,\n        TargetAccount,\n        TargetDomainName,\n        TargetDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n                , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
           }
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml
index 2bd4daeccac..c0f8027f9ff 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml
@@ -1,17 +1,17 @@
 Parser:
   Title: Authentication ASIM parser for Windows Security Events
   Version: '0.2.1'
-  LastUpdated: 21 Jul 2023
+  LastUpdated: Oct 15, 2024
 Product:
   Name: Windows Security Events
 Normalization:
   Schema: Authentication
-  Version: '0.1.0'
+  Version: '0.1.3'
 References:
 - Title: ASIM Authentication Schema
   Link: https://aka.ms/ASimAuthenticationDoc
 - Title: ASIM
-  Link: https:/aka.ms/AboutASIM
+  Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema.
 ParserName: ASimAuthenticationMicrosoftWindowsEvent
@@ -21,96 +21,107 @@ ParserParams:
     Type: bool
     Default: false
 ParserQuery: |
-  let LogonEvents=dynamic([4624,4625]);
-  let LogoffEvents=dynamic([4634,4647]);
-  let LogonTypes=datatable(LogonType:int, EventSubType:string)[
+  let LogonEvents=dynamic([4624, 4625]);
+  let LogoffEvents=dynamic([4634, 4647]);
+  let LogonTypes=datatable(LogonType: int, EventSubType: string)[
       2, 'Interactive',
-      3, 'Network',
-      4, 'Batch',
+      3, 'Remote',
+      4, 'System',
       5, 'Service',
-      7, 'Unlock',
+      7, 'Interactive',
       8, 'NetworkCleartext',
-      9, 'NewCredentials',
+      9, 'AssumeRole',
       10, 'RemoteInteractive',
-      11, 'CachedInteractive'];
+      11, 'Interactive'
+  ];
   // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
   let LogonStatus=datatable 
-      (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
-      '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
-      '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
-      '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
-      '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
-      '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
-      '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
-      '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
-      '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
-      '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
-      '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
-      '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
-      '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
-      '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
-      '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
-      '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
-      '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
-      '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
-      '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
-      '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
-      '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
-      '0x80090308', 'SEC_E_INVALID_TOKEN','Other',
-      '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
-      '0xc0000008', 'STATUS_INVALID_HANDLE','Other',
-      '0xc0000017', 'STATUS_NO_MEMORY','Other',
-      '0xc0000022', 'STATUS_ACCESS_DENIED','Other',
-      '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
-      '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
-      '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
-      '0xc000006d', 'STATUS_LOGON_FAILURE','Other',
-      '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
-      '0xc0000073', 'STATUS_NONE_MAPPED','Other',
-      '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
-      '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
-      '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
-      '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
-      '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
-      '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
-      '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
-      '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
-      '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
-      '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
-  let WinLogon=(disabled:bool=false){ 
+      (
+      EventStatus: string,
+      EventOriginalResultDetails: string,
+      EventResultDetails: string
+  )[
+      '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',
+      '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',
+      '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',
+      '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',
+      '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',
+      '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',
+      '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',
+      '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',
+      '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',
+      '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',
+      '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',
+      '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',
+      '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',
+      '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',
+      '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',
+      '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',
+      '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',
+      '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',
+      '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',
+      '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',
+      '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',
+      '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',
+      '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',
+      '0xc0000017', 'STATUS_NO_MEMORY', 'Other',
+      '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',
+      '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',
+      '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',
+      '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',
+      '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',
+      '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',
+      '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',
+      '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',
+      '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',
+      '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',
+      '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',
+      '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',
+      '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',
+      '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',
+      '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',
+      '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',
+      '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'
+  ];
+  let WinLogon=(disabled: bool=false) { 
       WindowsEvent 
       | where not(disabled)
       | where Provider == 'Microsoft-Windows-Security-Auditing'
       | where EventID in (LogonEvents) or EventID in (LogoffEvents)
+      | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type
       | extend    
           ActingProcessCreationTime = EventData.ProcessCreationTime,
           ActingProcessId           = tostring(toint(EventData.ProcessId)),
           ActingProcessName         = tostring(EventData.ProcessName),
           ActorSessionId            = tostring(EventData.SubjectLogonId),
           ActorUserId               = tostring(EventData.SubjectUserSid),
-          ActorUsername             = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
+          ActorUsername             = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\", EventData.SubjectUserName))),
           EventProduct              = "Security Events",
           LogonGuid                 = tostring(EventData.LogonGuid),
           LogonProtocol             = tostring(EventData.AuthenticationPackageName),
           LogonType                 = toint(EventData.LogonType),
-          SrcDvcHostname            = tostring(EventData.WorkstationName),
-          SrcDvcIpAddr              = tostring(EventData.IpAddress),
+          SrcHostname            = tostring(EventData.WorkstationName),
+          SrcIpAddr              = tostring(EventData.IpAddress),
           Status                    = tostring(EventData.Status),
           SubStatus                 = tostring(EventData.SubStatus),
           TargetDomainName          = tostring(EventData.TargetDomainName),
           TargetPortNumber          = toint(EventData.IpPort),
           TargetSessionId           = tostring(EventData.TargetLogonId),
           TargetUserId              = tostring(EventData.TargetUserSid),
-          TargetUsername            = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName)))
+          TargetUsername            = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\", EventData.TargetUserName)))
       | extend 
-          EventStatus = iff(SubStatus=='0x0',Status,SubStatus)
+          EventStatus = iff(SubStatus == '0x0', Status, SubStatus)
       // -- creating EventMessage matching EventMessage in SecurityEvent table
       | extend 
           EventMessage = case(
-                              EventID == 4624 ,"4624 - An account was successfully logged on.",
-                              EventID == 4625, "4625 - An account failed to log on.",
-                              EventID == 4634, "4634 - An account was logged off.", 
-                              "4647 - User initiated logoff."),
+                    EventID == 4624,
+                    "4624 - An account was successfully logged on.",
+                    EventID == 4625,
+                    "4625 - An account failed to log on.",
+                    EventID == 4634,
+                    "4634 - An account was logged off.", 
+                    "4647 - User initiated logoff."
+                ),
           EventResult = iff(EventID == 4625, 'Failure', 'Success')
       | project-rename 
           EventOriginalType = EventID,
@@ -119,74 +130,125 @@ ParserQuery: |
           TargetDvcHostname = Computer
       | extend 
           ActorUserIdType    = 'SID',
-          ActorUsernameType  = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ),
+          ActorUsernameType  = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),
           EventCount         = int(1),
           EventEndTime       = TimeGenerated,
-          EventSchemaVersion = '0.1.0',
+          EventSchema        = 'Authentication',
+          EventSchemaVersion = '0.1.3',
           EventStartTime     = TimeGenerated,
-          EventStatus        = iff(SubStatus=='0x0',Status,SubStatus),
+          EventStatus        = iff(SubStatus == '0x0', Status, SubStatus),
           EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),
           EventVendor        = 'Microsoft',
           SrcDvcOs           = 'Windows',
           TargetUserIdType   = 'SID',
-          TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows')
+          TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')
       | extend
           ActorUserType  = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),
-          TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)
+          TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),
+          EventOriginalType = tostring(EventOriginalType)
+      | lookup LogonStatus on EventStatus
+      | lookup LogonTypes on LogonType
+      /// ** Aliases 
+      | extend
+          Dvc         = SrcHostname,
+          LogonTarget = TargetDvcHostname,
+          User        = TargetUsername,
+          IpAddr   = SrcIpAddr
+      | project-away
+          EventData,
+          LogonGuid,
+          EventStatus,
+          LogonType,
+          Status,
+          SubStatus,
+          TargetDomainName,
+          TargetDvcHostname
+  };
+  let SecEventLogon=(disabled: bool=false) {
+      SecurityEvent 
+      | where not(disabled)
+      | where EventID in (LogonEvents) or 
+          EventID in (LogoffEvents)
+      | project
+          SubjectLogonId,
+          SubjectUserSid,
+          Activity,
+          EventID,
+          EventOriginId,
+          AuthenticationPackageName,
+          WorkstationName,
+          IpAddress,
+          Computer,
+          TargetLogonId,
+          TargetUserSid,
+          SubjectDomainName,
+          SubjectUserName,
+          SubjectAccount,
+          TimeGenerated,
+          SubStatus,
+          TargetDomainName,
+          TargetUserName,
+          AccountType,
+          TargetAccount,
+          Status,
+          LogonType,
+          Type
+      | project-rename 
+          ActorSessionId    = SubjectLogonId,
+          ActorUserId       = SubjectUserSid,
+          EventMessage      = Activity,
+          EventOriginalType = EventID,
+          EventOriginalUid  = EventOriginId,
+          LogonProtocol     = AuthenticationPackageName,
+          SrcHostname    = WorkstationName,
+          SrcIpAddr      = IpAddress,
+          TargetDvcHostname = Computer,
+          TargetSessionId   = TargetLogonId,
+          TargetUserId      = TargetUserSid
+      | extend 
+          ActorUserIdType    = 'SID',
+          ActorUsername      = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),
+          ActorUsernameType  = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),
+          EventCount         = int(1),
+          EventEndTime       = TimeGenerated,
+          EventProduct       = "Security Events",
+          EventResult        = iff(EventOriginalType == 4625, 'Failure', 'Success'),
+          EventSchema        = 'Authentication',
+          EventSchemaVersion = '0.1.0',
+          EventStartTime     = TimeGenerated,
+          EventStatus        = iff(SubStatus == '0x0', Status, SubStatus),
+          EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),
+          EventVendor        = 'Microsoft',
+          SrcDvcOs           = 'Windows',
+          TargetUserIdType   = 'SID',
+          TargetUsername     = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)),
+          TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')
+      | project-away TargetUserName, AccountType
+      | extend
+          ActorUserType      = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),
+          TargetUserType     = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),
+          EventOriginalType  = tostring(EventOriginalType)
       | lookup LogonStatus on EventStatus
       | lookup LogonTypes on LogonType
       /// ** Aliases 
       | extend
-          Dvc         = SrcDvcHostname,
+          Dvc         = SrcHostname,
           LogonTarget = TargetDvcHostname,
-          User        = TargetUsername
+          User        = TargetUsername,
+          IpAddr   = SrcIpAddr
+      | project-away
+          EventStatus,
+          LogonType,
+          Status,
+          SubStatus,
+          SubjectAccount,
+          SubjectDomainName,
+          SubjectUserName,
+          EventStatus,
+          TargetAccount,
+          TargetDomainName,
+          TargetDvcHostname
   };
-  let SecEventLogon=(disabled:bool=false){
-    SecurityEvent 
-    | where not(disabled)
-    | where EventID in (LogonEvents) or 
-            EventID in (LogoffEvents)
-    | project-rename 
-        ActorSessionId    = SubjectLogonId,
-        ActorUserId       = SubjectUserSid,
-        EventMessage      = Activity,
-        EventOriginalType = EventID,
-        EventOriginalUid  = EventOriginId,
-        LogonProtocol     = AuthenticationPackageName,
-        SrcDvcHostname    = WorkstationName,
-        SrcDvcIpAddr      = IpAddress,
-        TargetDvcHostname = Computer,
-        TargetSessionId   = TargetLogonId,
-        TargetUserId      = TargetUserSid
-    | extend 
-        ActorUserIdType    = 'SID',
-        ActorUsername      = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount),
-        ActorUsernameType  = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ),
-        EventCount         = int(1),
-        EventEndTime       = TimeGenerated,
-        EventProduct       = "Security Events",
-        EventResult        = iff(EventOriginalType == 4625, 'Failure', 'Success'),
-        EventSchemaVersion = '0.1.0',
-        EventStartTime     = TimeGenerated,
-        EventStatus        = iff(SubStatus=='0x0',Status,SubStatus),
-        EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),
-        EventVendor        = 'Microsoft',
-        SrcDvcOs           = 'Windows',
-        TargetUserIdType   = 'SID',
-        TargetUsername     = iff (TargetDomainName in ('-',''), trim(@'\\',TargetUserName), trim(@'\\',TargetAccount)),
-        TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows')
-    | project-away TargetUserName, AccountType
-    | extend
-        ActorUserType      = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),
-        TargetUserType     = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)
-    | lookup LogonStatus on EventStatus
-    | lookup LogonTypes  on LogonType
-    /// ** Aliases 
-    | extend
-        Dvc         = SrcDvcHostname,
-        LogonTarget = TargetDvcHostname,
-        User        = TargetUsername
-    };
   union isfuzzy=true 
-    SecEventLogon(disabled=disabled), 
-    WinLogon(disabled=disabled)
+      SecEventLogon(disabled=disabled), 
+      WinLogon(disabled=disabled)
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml
index 861b785dae8..acbe17dfef0 100644
--- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml
+++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml
@@ -1,7 +1,7 @@
 Parser:
   Title: Authentication ASIM filtering parser for Windows Security Events
-  Version: '0.3.0'
-  LastUpdated: Mar 12, 2024
+  Version: '0.3.1'
+  LastUpdated: Oct 15, 2024
 Product:
   Name: Windows Security Events
 Normalization:
@@ -11,7 +11,7 @@ References:
 - Title: ASIM Authentication Schema
   Link: https://aka.ms/ASimAuthenticationDoc
 - Title: ASIM
-  Link: https:/aka.ms/AboutASIM
+  Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema.
 ParserName: vimAuthenticationMicrosoftWindowsEvent
@@ -53,14 +53,14 @@ ParserQuery: |
   let LogonTypes=datatable(LogonType: int, EventSubType: string)
   [
       2, 'Interactive',
-      3, 'Network',
-      4, 'Batch',
+      3, 'Remote',
+      4, 'System',
       5, 'Service',
-      7, 'Unlock',
+      7, 'Interactive',
       8, 'NetworkCleartext',
-      9, 'NewCredentials',
+      9, 'AssumeRole',
       10, 'RemoteInteractive',
-      11, 'CachedInteractive'
+      11, 'Interactive'
   ];
   // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
   let LogonStatus=datatable 
@@ -144,9 +144,9 @@ ParserQuery: |
       // ************************************************************************* 
       | where Provider == 'Microsoft-Windows-Security-Auditing'
       | where EventID in (LogonEvents) or EventID in (LogoffEvents)
+      | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type
       | extend
           LogonProtocol = tostring(EventData.AuthenticationPackageName),
-          SrcDvcIpAddr = tostring(EventData.IpAddress), // Backword Compatibility. Will be removed by July 2024
           SrcIpAddr = tostring(EventData.IpAddress),
           TargetPortNumber = toint(EventData.IpPort),
           LogonGuid = tostring(EventData.LogonGuid),
@@ -181,7 +181,6 @@ ParserQuery: |
                                       "No match"
                                   )
       | extend 
-          SrcDvcHostname = tostring(EventData.WorkstationName), // Backword Compatibility. Will be removed by July 2024
           SrcHostname = tostring(EventData.WorkstationName),
           EventProduct = "Security Events"
       | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
@@ -210,6 +209,8 @@ ParserQuery: |
       | extend
           EventCount=int(1)
           ,
+          EventSchema = 'Authentication'
+          ,
           EventSchemaVersion='0.1.3'
           ,
           ActorUserIdType='SID'
@@ -237,6 +238,8 @@ ParserQuery: |
           ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)
           ,
           TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)
+          ,
+          EventOriginalType = tostring(EventOriginalType)
       | lookup LogonStatus on EventStatus
       // filtering on 'eventresultdetails_in'
       | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))
@@ -248,6 +251,17 @@ ParserQuery: |
           LogonTarget=TargetDvcHostname
           ,
           Dvc=SrcHostname
+          ,
+          IpAddr=SrcIpAddr
+      | project-away
+          EventData,
+          LogonGuid,
+          EventStatus,
+          LogonType,
+          Status,
+          SubStatus,
+          TargetDomainName,
+          TargetDvcHostname
   };
   let SecEventLogon =(starttime: datetime=datetime(null), 
       endtime: datetime=datetime(null), 
@@ -280,6 +294,30 @@ ParserQuery: |
       // ************************************************************************* 
       | where EventID in (LogonEvents) or 
           EventID in (LogoffEvents)
+      | project
+          SubjectLogonId,
+          SubjectUserSid,
+          Activity,
+          EventID,
+          EventOriginId,
+          AuthenticationPackageName,
+          WorkstationName,
+          IpAddress,
+          Computer,
+          TargetLogonId,
+          TargetUserSid,
+          SubjectDomainName,
+          SubjectUserName,
+          SubjectAccount,
+          TimeGenerated,
+          SubStatus,
+          TargetDomainName,
+          TargetUserName,
+          AccountType,
+          TargetAccount,
+          Status,
+          LogonType,
+          Type
       | project-rename 
           EventMessage = Activity
           ,
@@ -291,7 +329,7 @@ ParserQuery: |
           ,
           TargetUserId =TargetUserSid
           ,
-          SrcDvcHostname = WorkstationName // Backword Compatibility. Will be removed by July 2024
+          SrcHostname = WorkstationName
           ,
           TargetDvcHostname = Computer
           ,
@@ -299,7 +337,7 @@ ParserQuery: |
           ,
           LogonProtocol=AuthenticationPackageName
           ,
-          SrcDvcIpAddr=IpAddress // Backword Compatibility. Will be removed by July 2024
+          SrcIpAddr=IpAddress
           ,
           EventOriginalType=EventID
       | extend
@@ -307,7 +345,9 @@ ParserQuery: |
           ,
           EventCount=int(1)
           ,
-          EventSchemaVersion='0.1.0'
+          EventSchema = 'Authentication'
+          ,
+          EventSchemaVersion='0.1.3'
           ,
           EventProduct = "Security Events"
           ,
@@ -334,10 +374,6 @@ ParserQuery: |
           SrcDvcOs = 'Windows'
           ,
           EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
-          ,
-          SrcHostname = SrcDvcHostname // Backword Compatibility. Will be removed by July 2024
-          ,
-          SrcIpAddr = SrcDvcIpAddr // Backword Compatibility. Will be removed by July 2024
       // mapping ASimMatchingUsername
       | extend
           temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)
@@ -364,6 +400,8 @@ ParserQuery: |
           ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)
           ,
           TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)
+          ,
+          EventOriginalType = tostring(EventOriginalType)
       | lookup LogonStatus on EventStatus
       // filtering on 'eventresultdetails_in'
       | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))
@@ -374,7 +412,21 @@ ParserQuery: |
           ,
           LogonTarget=TargetDvcHostname
           ,
-          Dvc=SrcDvcHostname
+          Dvc=SrcHostname
+          ,
+          IpAddr=SrcIpAddr
+      | project-away
+          EventStatus,
+          LogonType,
+          Status,
+          SubStatus,
+          SubjectAccount,
+          SubjectDomainName,
+          SubjectUserName,
+          EventStatus,
+          TargetAccount,
+          TargetDomainName,
+          TargetDvcHostname
   };
   union isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)
-                ,    WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)
+                  , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)
\ No newline at end of file
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png
new file mode 100644
index 00000000000..0cda756d0e0
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png
new file mode 100644
index 00000000000..837ce46d03a
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png
new file mode 100644
index 00000000000..86a3382e2d5
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png
new file mode 100644
index 00000000000..85e3d9c7363
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png
new file mode 100644
index 00000000000..24252ea46d0
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png
new file mode 100644
index 00000000000..b19f0188291
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png
new file mode 100644
index 00000000000..77fc381dcde
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png
new file mode 100644
index 00000000000..2863d1ac842
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png
new file mode 100644
index 00000000000..d6b9217a233
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png
new file mode 100644
index 00000000000..19bcf49c9bd
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png
new file mode 100644
index 00000000000..9ebea64504d
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png
new file mode 100644
index 00000000000..d6eb32c9f27
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png
new file mode 100644
index 00000000000..63bf4b5f260
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png
new file mode 100644
index 00000000000..f72b7e27ea7
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png
new file mode 100644
index 00000000000..8ddbd7eb2cd
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png
new file mode 100644
index 00000000000..02a3429b4ad
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png
new file mode 100644
index 00000000000..627b0cb0228
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png
new file mode 100644
index 00000000000..ec124b080e7
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png
new file mode 100644
index 00000000000..7df564b46b6
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png
new file mode 100644
index 00000000000..8dcb504eebc
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png
new file mode 100644
index 00000000000..ea41face2ac
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png
new file mode 100644
index 00000000000..fb02aeadd69
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png
new file mode 100644
index 00000000000..4e21a9b4b19
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png
new file mode 100644
index 00000000000..c5cecdfd905
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png
new file mode 100644
index 00000000000..f818a4a5569
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png
new file mode 100644
index 00000000000..8ad3c16d057
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png
new file mode 100644
index 00000000000..1a8748f2ec3
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png
new file mode 100644
index 00000000000..3e23dc79086
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png
new file mode 100644
index 00000000000..782e9e39773
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png
new file mode 100644
index 00000000000..38da0ce277b
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png
new file mode 100644
index 00000000000..29cc38bc626
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png
new file mode 100644
index 00000000000..ecdd091f1f0
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png
new file mode 100644
index 00000000000..e89e494578a
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png
new file mode 100644
index 00000000000..7bb0650ba55
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png
new file mode 100644
index 00000000000..867ee398427
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png
new file mode 100644
index 00000000000..051ef6ee199
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png
new file mode 100644
index 00000000000..2484c113409
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png
new file mode 100644
index 00000000000..8731f60625d
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png
new file mode 100644
index 00000000000..95cbb7a3e2a
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png
new file mode 100644
index 00000000000..db553f2fdc8
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png
new file mode 100644
index 00000000000..3a778b991b1
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png
new file mode 100644
index 00000000000..a830203d727
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png
new file mode 100644
index 00000000000..d2cf64f8143
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png
new file mode 100644
index 00000000000..8da7c2a0517
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png
new file mode 100644
index 00000000000..d46f07773af
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png
new file mode 100644
index 00000000000..3b8e6678605
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png
new file mode 100644
index 00000000000..d98ca5ce8da
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png
new file mode 100644
index 00000000000..95f67d803f7
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png
new file mode 100644
index 00000000000..40342d7a05d
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png
new file mode 100644
index 00000000000..98306cb8fa3
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png
new file mode 100644
index 00000000000..1c9beb01edc
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png
new file mode 100644
index 00000000000..2e79ba1093c
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png
new file mode 100644
index 00000000000..79149ee6e38
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png
new file mode 100644
index 00000000000..254c2730ccd
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png
new file mode 100644
index 00000000000..e265f03f5bf
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png
new file mode 100644
index 00000000000..39a2d12d311
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png
new file mode 100644
index 00000000000..a90000d0353
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png
new file mode 100644
index 00000000000..cd07848ab2c
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png
new file mode 100644
index 00000000000..74b925f2766
Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png differ
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md
new file mode 100644
index 00000000000..eea27d50290
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md
@@ -0,0 +1,374 @@
+ # AS-Microsoft-DCR-Log-Ingestion
+
+Author: Accelerynt
+
+For any technical questions, please contact info@accelerynt.com  
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json)       
+
+This playbook is intended for multitenant organizations and is designed to run on a timed trigger and pull Microsoft Graph and Microsoft Office logs to Microsoft Sentinel using Data Collection Endpoints and Data Collection Rules. While Microsoft does have built in connectors for this, they do not support multitenant functionality. This playbook is configured to grab the following logs for a tenant of your choosing and send them to another tenant:
+* [Microsoft Graph Sign-In Logs](https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http)
+* [Microsoft Graph Audit Logs](https://learn.microsoft.com/en-us/graph/api/directoryaudit-get?view=graph-rest-1.0&tabs=http)
+* [Microsoft Office Activity Logs](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference). 
+                                                                                                                                     
+![DCRLogIngestion_Demo_1](Images/DCRLogIngestion_Demo_1.png)
+
+![DCRLogIngestion_Demo_2](Images/DCRLogIngestion_Demo_2.png)
+
+> [!NOTE]  
+> Estimated Time to Complete: 3 hours
+
+> [!TIP]
+> Required deployment variables will be noted throughout the setup. It is recommended that you look at the deployment page and fill out the required fields as you go.
+
+#
+### Requirements
+                                                                                                                                     
+The following items are required under the template settings during deployment: 
+
+* Note your [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) for the tenant that will be sending the data
+* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) to send data to the DCR with admin consent granted for "**AuditLog.Read.All**" and "**Activity.Feed.Read**"
+* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) in the receiving tenant where the DCR is located. This app registration must have the "**Monitoring Metrics Publisher**" role assigned from each DCR you create.
+* [App Registration Azure key vault secrets](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret) containing your app registration client secrets
+* Note your [workspace location](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces) for the tenant that will be receiving data, as this will need to be the same for Data Collection Rules and Endpoints created in the steps below
+* A [Microsoft Data Collection Endpoint](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints) for each of the log sources
+* A [Microsoft Data Collection Rule](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules) for each of the log sources
+* An [Azure key vault secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret) containing your client secret for each of your Data Collection Endpoints
+
+#
+### Role Requirements
+
+If the user that will be performing the setup and deployment steps does not have "**Owner**" or "**Global Administrator**" assigned in both tenants, the following roles may be required:
+
+The following roles are required in the **sending tenant**: 
+
+* The **Privileged Role Administrator** role will need to be assigned to the user from Entra ID.
+* By default, any user can create an app registration, however, if this has been locked down, the "**Application Administrator**" role will need to be assigned from Entra ID.
+
+The following roles are required in the **receiving tenant**: 
+
+* In order to create and manage secrets within the desired Key Vault, the **Key Vault Secrets Officer** role will need to be assigned to the user from the Key Vault Access control (IAM) page.
+* In order to add role assignments to DCRs, the **User Access Admin** and "**Contributor**" roles will need to be assigned to the user from the resource group.
+
+# 
+### Setup
+
+#### Create an App Registration
+
+From the tenant you wish to **send the Microsoft Graph and Office data from**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
+
+Click "**New registration**".
+
+![DCRLogIngestion_App_Registration_1](Images/DCRLogIngestion_App_Registration_1.png)
+
+Enter "**AS-Send-Logs-to-DCR**" for the name and select "**Accounts in any organizational directory**" for "**Supported account types**. All else can be left as is. Click "**Register**"
+
+![DCRLogIngestion_App_Registration_2](Images/DCRLogIngestion_App_Registration_2.png)
+
+Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**" and the "**Directory (tenant) ID**", as both will be needed for deployment.
+
+![DCRLogIngestion_App_Registration_3](Images/DCRLogIngestion_App_Registration_3.png)
+
+Next, you will need to add permissions for the app registration to call the Microsoft Graph and Office 365 API endpoints. From the left menu blade, click "**API permissions**" under the "**Manage**" section. Then, click "**Add a permission**".
+
+![DCRLogIngestion_App_Registration_4](Images/DCRLogIngestion_App_Registration_4.png)
+
+From the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Microsoft Graph**".
+
+![DCRLogIngestion_App_Registration_5](Images/DCRLogIngestion_App_Registration_5.png)
+
+Click "**Application permissions**", then paste "**AuditLog.Read.All**" in the search bar. Click the option matching the search, then click "**Add permission**".
+
+![DCRLogIngestion_App_Registration_6](Images/DCRLogIngestion_App_Registration_6.png)
+
+This process will need to be repeated for the Office 365 API. Click "**Add a permission**" once again and from the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Office 365 Management APIs**".
+
+![DCRLogIngestion_App_Registration_7](Images/DCRLogIngestion_App_Registration_7.png)
+
+Click "**Application permissions**", then paste "**ActivityFeed.Read**" in the search bar. Click the option matching the search, then click "**Add permission**".
+
+![DCRLogIngestion_App_Registration_8](Images/DCRLogIngestion_App_Registration_8.png)
+
+Admin consent will be needed before your app registration can use the assigned permission. Click "**Grant admin consent for (name)**".
+
+![DCRLogIngestion_App_Registration_9](Images/DCRLogIngestion_App_Registration_9.png)
+
+Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**".
+
+![DCRLogIngestion_App_Registration_10](Images/DCRLogIngestion_App_Registration_10.png)
+
+Enter a description and select the desired expiration date, then click "**Add**".
+
+![DCRLogIngestion_App_Registration_11](Images/DCRLogIngestion_App_Registration_11.png)
+
+Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret).
+
+![DCRLogIngestion_App_Registration_12](Images/DCRLogIngestion_App_Registration_12.png)
+
+#### Create an App Registration Azure Key Vault Secret
+
+The secret from the previous step will need to be stored in the **tenant that is to receive the data**, as this is where the logic app will be deployed. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults
+
+Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**".
+
+![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Key_Vault_1.png)
+
+Choose a name for the secret, such as "**DCRLogIngestion-SendingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". 
+
+![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Key_Vault_2.png)
+
+#### Create the Data Collection Endpoints
+
+From the **tenant that is to receive the data**, navigate to the Microsoft Data Collection Endpoints page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints
+
+Click "**Create**".
+
+![DCRLogIngestion_Data_Collection_Endpoint_1](Images/DCRLogIngestion_Data_Collection_Endpoint_1.png)
+
+Enter "**EntraSignInLogsDCE**" as the Endpoint Name and select the Subscription and Resource Group. These should match the Subscription and Resource Group of the playbook you will deploy later. Ensure the Region location matches that of your workspace.  Click "**Review + create**".
+
+![DCRLogIngestion_Data_Collection_Endpoint_2](Images/DCRLogIngestion_Data_Collection_Endpoint_2.png)
+
+Click "**Create**".
+
+![DCRLogIngestion_Data_Collection_Endpoint_3](Images/DCRLogIngestion_Data_Collection_Endpoint_3.png)
+
+Repeat this process for "**EntraAuditLogsDCE**".
+
+![DCRLogIngestion_Data_Collection_Endpoint_4](Images/DCRLogIngestion_Data_Collection_Endpoint_4.png)
+
+Repeat this process for "**OfficeActivityLogsDCE**".
+
+![DCRLogIngestion_Data_Collection_Endpoint_5](Images/DCRLogIngestion_Data_Collection_Endpoint_5.png)
+
+From each of the created Data Collection Endpoint overview pages, take note of the "**Logs Ingestion**" URLs, as they will be needed for deployment.
+
+![DCRLogIngestion_Data_Collection_Endpoint_6](Images/DCRLogIngestion_Data_Collection_Endpoint_6.png)
+
+#### Create the Data Collection Rules
+
+From the **tenant that is to receive the data**, navigate to the Microsoft Log Analytics Workspace page: https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces
+
+Select the desired workspace.
+
+![DCRLogIngestion_Data_Collection_Rule_1](Images/DCRLogIngestion_Data_Collection_Rule_1.png)
+
+From the selected workspace, navigate to "**Tables**" located under settings, click "**Create**" and select "**New custom log (DCR based)**".
+
+![DCRLogIngestion_Data_Collection_Rule_2](Images/DCRLogIngestion_Data_Collection_Rule_2.png)
+
+First, click "**Create a new Data Collection Rule**" below the Data Collection Rule field. Then enter "**EntraSignInLogsDCR**" for the name in the window that appears on the right. Ensure the Subscription, Resource Group, and Region all look correct, then click "**Done**".
+
+![DCRLogIngestion_Data_Collection_Rule_3](Images/DCRLogIngestion_Data_Collection_Rule_3.png)
+
+Next enter "**EntraSignInLogs**" as the table name and select "**EntraSignInLogsDCE**" from the drop-down list. If this option is not populating, double check the region used for the Data Collection Endpoint created in the previous step. Click "**Next**".
+
+![DCRLogIngestion_Data_Collection_Rule_4](Images/DCRLogIngestion_Data_Collection_Rule_4.png)
+
+The next step will prompt you for a data sample.
+
+![DCRLogIngestion_Data_Collection_Rule_5](Images/DCRLogIngestion_Data_Collection_Rule_5.png)
+
+Upload the file content located at [Samples/SignInLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/SignInLogsSample.json), then click "**Next**".
+
+![DCRLogIngestion_Data_Collection_Rule_6](Images/DCRLogIngestion_Data_Collection_Rule_6.png)
+
+Click "**Create**".
+
+![DCRLogIngestion_Data_Collection_Rule_7](Images/DCRLogIngestion_Data_Collection_Rule_7.png)
+
+This process will need to be repeated for "**EntraAuditLogsDCR**". After creating the "**EntraAuditLogsDCR**" Data Collection Rule in the way that was shown for "**EntraSignInLogsDCR**", enter "**EntraAuditLogs**" as the table name and select "**EntraAuditLogsDCE**" from the drop-down list.
+
+![DCRLogIngestion_Data_Collection_Rule_8](Images/DCRLogIngestion_Data_Collection_Rule_8.png)
+
+Upload the file content located at [Samples/AuditLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/AuditLogsSample.json), then click "**Next**".
+
+![DCRLogIngestion_Data_Collection_Rule_9](Images/DCRLogIngestion_Data_Collection_Rule_9.png)
+
+Click "**Create**".
+
+![DCRLogIngestion_Data_Collection_Rule_10](Images/DCRLogIngestion_Data_Collection_Rule_10.png)
+
+This process will need to be repeated for "**OfficeActivityLogsDCR**". After creating the "**OfficeActivityLogsDCR**" Data Collection Rule in the way that was shown for “**EntraSignInLogsDCR**", enter "**OfficeActivityLogs**" as the table name and select "**OfficeActivityLogsDCE**" from the drop down list.
+
+![DCRLogIngestion_Data_Collection_Rule_11](Images/DCRLogIngestion_Data_Collection_Rule_11.png)
+
+Upload the file content located at [Samples/OfficeActivityLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/O365GeneralAuditLogsSample.json), then click "**Next**".
+
+![DCRLogIngestion_Data_Collection_Rule_12](Images/DCRLogIngestion_Data_Collection_Rule_12.png)
+
+Click "**Create**".
+
+![DCRLogIngestion_Data_Collection_Rule_13](Images/DCRLogIngestion_Data_Collection_Rule_13.png)
+
+From each of the created [Data Collection Rule overview pages](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules), take note of the "**Immutable Id**" values, as they will be needed for deployment.
+
+![DCRLogIngestion_Data_Collection_Rule_14](Images/DCRLogIngestion_Data_Collection_Rule_14.png)
+
+Lastly, from each of the created Data Collection Rule data sources pages, take note of the "**Data source**" values, as they will be needed for deployment.
+
+![DCRLogIngestion_Data_Collection_Rule_15](Images/DCRLogIngestion_Data_Collection_Rule_15.png)
+
+#### Create an App Registration for the DCRs
+
+From the **tenant that is to receive the data**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
+
+Click "**New registration**".
+
+![DCRLogIngestion_App_Registration_DCR_1](Images/DCRLogIngestion_App_Registration_DCR_1.png)
+
+Enter "**DCRLogIngestionAppReg**" for the name and select "**Accounts in this organizational directory only**" for "**Supported account types**. All else can be left as is. Click "**Register**"
+
+![DCRLogIngestion_App_Registration_DCR_2](Images/DCRLogIngestion_App_Registration_DCR_2.png)
+
+Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**", as this will be needed for deployment.
+
+![DCRLogIngestion_App_Registration_DCR_3](Images/DCRLogIngestion_App_Registration_DCR_3.png)
+
+A client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**”. Enter a description and select the desired expiration date, then click "**Add**".
+
+![DCRLogIngestion_App_Registration_DCR_4](Images/DCRLogIngestion_App_Registration_DCR_4.png)
+
+Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret).
+
+![DCRLogIngestion_App_Registration_DCR_5](Images/DCRLogIngestion_App_Registration_DCR_5.png)
+
+Next, IAM access for this App Registration will need to be added from each of the DCRs created in the previous step. Navigate to the Data Collection Rules page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules
+
+Select the "**EntraSignInLogsDCR**" and select "**Access control (IAM)**". Click "**Add**" and select "**Add role assignment**".
+
+![DCRLogIngestion_App_Registration_DCR_6](Images/DCRLogIngestion_App_Registration_DCR_6.png)
+
+Select "**Monitoring Metrics Publisher**" and click "**Next**".
+
+![DCRLogIngestion_App_Registration_DCR_7](Images/DCRLogIngestion_App_Registration_DCR_7.png)
+
+Select "**User, group, or service principal**" as the access option, then click "**Select members**". Paste "**DCRLogIngestionAppReg**" into the search bar at the top of the right pane and select the app registration that appears, then click "**Select**".
+
+![DCRLogIngestion_App_Registration_DCR_8](Images/DCRLogIngestion_App_Registration_DCR_8.png)
+
+Click "**Review + assign**".
+
+![DCRLogIngestion_App_Registration_DCR_9](Images/DCRLogIngestion_App_Registration_DCR_9.png)
+
+Repeat this process for the "**EntraAuditLogsDCR**".
+
+![DCRLogIngestion_App_Registration_DCR_10](Images/DCRLogIngestion_App_Registration_DCR_10.png)
+
+Lastly, repeat this process for "**OfficeActivityLogsDCR**".
+
+![DCRLogIngestion_App_Registration_DCR_11](Images/DCRLogIngestion_App_Registration_DCR_11.png)
+
+#### Create a Receiving App Registration Azure Key Vault Secret
+
+As before, secret from the previous step will need to be stored in the **tenant that is to receive the data**. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults
+
+Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**".
+
+![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Receiving_Key_Vault_1.png)
+
+Choose a name for the secret, such as "**DCRLogIngestion-ReceivingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". 
+
+![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Receiving_Key_Vault_2.png)
+
+#
+### Deployment
+
+To configure and deploy this playbook:
+ 
+Open your browser and ensure you are logged into your Microsoft Sentinel workspace from the **tenant that is to receive the data**. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository:
+
+https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json)                                             
+
+Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template.
+
+In the **Project Details** section:
+
+* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to.  
+
+In the **Instance Details** section:
+
+* **Playbook Name**: This can be left as "**AS-Microsoft-DCR-Log-Ingestion**" or you may change it.
+
+* **Sending App Registration Tenant Id**: Enter the Directory (tenant) Id of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration).
+
+* **Sending App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration).
+
+* **Sending Tenant Subscription ID**: Enter the [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) of the tenant that will be sending the data.
+
+* **Receiving App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to receive data, referenced in [Create an App Registration for the DCRs](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-for-the-dcrs).
+
+* **Key Vault Name**: Enter the name of the key vault referenced in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret).
+
+* **Sending App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the sending App Registration client secret, created in [Create an App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret).
+
+* **Receiving App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the receiving App Registration client secret, created in [Create a Receiving App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-a-receiving-app-registration-azure-key-vault-secret).
+
+* **Entra Sign In Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraSignInLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints).
+
+* **Entra Sign In Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+* **Entra Sign In Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+* **Entra Audit Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraAuditLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints).
+
+* **Entra Audit Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+* **Entra Audit Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+* **Office Activity Ingestion URL**: Enter the Logs Ingestion URL from the OfficeActivityLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints).
+
+* **Office Activity Immutable Id**: Enter the Logs Ingestion Immutable Id from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+* **Office Activity Data Source**: Enter the Logs Ingestion Data Source from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules).
+
+Towards the bottom, click on "**Review + create**". 
+
+![DCRLogIngestion_Deploy_1](Images/DCRLogIngestion_Deploy_1.png)
+
+Once the resources have validated, click on "**Create**".
+
+![DCRLogIngestion_Deploy_2](Images/DCRLogIngestion_Deploy_2.png)
+
+The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them.
+Click the one corresponding to the Logic App.
+
+![DCRLogIngestion_Deploy_3](Images/DCRLogIngestion_Deploy_3.png)
+
+#
+### Granting Access to Azure Key Vault
+
+Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secrets, located in the **tenant that is to receive the data**.
+
+From the Logic App menu blade, select the "**Identity**" tab, located under the "**Settings**" section. Click "**Azure role assignments**".
+
+![DCRLogIngestion_Key_Vault_Access_1](Images/DCRLogIngestion_Key_Vault_Access_1.png)
+
+Click "**Add role assignment**" then select "**Key Vault**" as the scope, select your Key Vault Name, then select "**Key Vault Secrets User**" for the role. Click "**Save**".
+
+![DCRLogIngestion_Key_Vault_Access_2](Images/DCRLogIngestion_Key_Vault_Access_2.png)
+
+#
+### Ensuring your Subscription is Enabled
+
+To ensure the subscription is enabled for the app registration used to access the"**O365 Audit General Logs**", the [OfficeAuditSubscribtionEnable](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Scripts/OfficeAuditSubscribtionEnable.ps1) should be run from an [Azure Cloud Shell Window](https://learn.microsoft.com/en-us/azure/cloud-shell/new-ui-shell-window) from the tenant you wish to **send the Microsoft Graph and Office data from**.
+
+![DCRLogIngestion_Azure_Cloud_Shell_1](Images/DCRLogIngestion_Azure_Cloud_Shell_1.png)
+Click the "**PowerShell**" option, then select the appropriate subscription for the sending tenant.
+
+![DCRLogIngestion_Azure_Cloud_Shell_2](Images/DCRLogIngestion_Azure_Cloud_Shell_2.png)
+
+Copy and paste the script into the Azure Cloud Shell PowerShell window and hit enter. You will be prompted to enter your **sending** tenant, as well as the **sending** app registration client ID and client secret.
+
+![DCRLogIngestion_Azure_Cloud_Shell_3](Images/DCRLogIngestion_Azure_Cloud_Shell_3.png)
+
+#
+### Enable the Logic App
+
+After all of the above steps are completed, from the Logic App Overview page, click "**Enable**".
+
+![DCRLogIngestion_Logic_App_Enable_1](Images/DCRLogIngestion_Logic_App_Enable_1.png)
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json
new file mode 100644
index 00000000000..4bf6318837a
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json
@@ -0,0 +1,278 @@
+[
+    {
+        "id": "Directory_sample-id_1",
+        "category": "Device",
+        "correlationId": "sample-correlation-id-1",
+        "result": "success",
+        "resultReason": "",
+        "activityDisplayName": "Update device",
+        "activityDateTime": "2024-09-14T00:46:35.7046089Z",
+        "TimeGenerated": "2024-09-14T00:46:35.7046089Z",
+        "loggedByService": "Core Directory",
+        "operationType": "Update",
+        "initiatedBy": {
+            "user": null,
+            "app": {
+                "appId": null,
+                "displayName": "Device Registration Service",
+                "servicePrincipalId": "sample-service-principal-id-1",
+                "servicePrincipalName": null
+            }
+        },
+        "targetResources": [
+            {
+                "id": "sample-resource-id-1",
+                "displayName": "Device1234",
+                "type": "Device",
+                "userPrincipalName": null,
+                "groupType": null,
+                "modifiedProperties": [
+                    {
+                        "displayName": "DeviceOSVersion",
+                        "oldValue": "[\"10.0.19045.4651\"]",
+                        "newValue": "[\"10.0.19045.4780\"]"
+                    },
+                    {
+                        "displayName": "Included Updated Properties",
+                        "oldValue": null,
+                        "newValue": "\"DeviceOSVersion\""
+                    },
+                    {
+                        "displayName": "TargetId.DeviceId",
+                        "oldValue": null,
+                        "newValue": "\"sample-device-id-1\""
+                    },
+                    {
+                        "displayName": "TargetId.DeviceOSType",
+                        "oldValue": null,
+                        "newValue": "\"Windows\""
+                    },
+                    {
+                        "displayName": "TargetId.DeviceTrustType",
+                        "oldValue": null,
+                        "newValue": "\"ServerAd\""
+                    }
+                ]
+            }
+        ],
+        "additionalDetails": [
+            {
+                "key": "DeviceId",
+                "value": "sample-device-id-1"
+            },
+            {
+                "key": "DeviceOSType",
+                "value": "Windows"
+            },
+            {
+                "key": "DeviceTrustType",
+                "value": "ServerAd"
+            },
+            {
+                "key": "User-Agent",
+                "value": "Microsoft.OData.Client/7.12.5"
+            }
+        ]
+    },
+    {
+        "id": "UserManagement_sample-id_2",
+        "category": "UserManagement",
+        "correlationId": "sample-correlation-id-2",
+        "result": "clientError",
+        "resultReason": null,
+        "activityDisplayName": "Invite external user",
+        "activityDateTime": "2024-09-14T00:46:19.8135019Z",
+        "TimeGenerated": "2024-09-14T00:46:19.8135019Z",
+        "loggedByService": "Invited Users",
+        "operationType": "Add",
+        "initiatedBy": {
+            "user": null,
+            "app": {
+                "appId": "sample-app-id-2",
+                "displayName": "Microsoft.Azure.SyncFabric",
+                "servicePrincipalId": null,
+                "servicePrincipalName": null
+            }
+        },
+        "targetResources": [
+            {
+                "id": "sample-resource-id-2",
+                "displayName": "John Doe (SUP)",
+                "type": "User",
+                "userPrincipalName": "john.doe_sample@domain.com",
+                "groupType": null,
+                "modifiedProperties": []
+            }
+        ],
+        "additionalDetails": [
+            {
+                "key": "oid",
+                "value": "sample-oid-1"
+            },
+            {
+                "key": "tid",
+                "value": "sample-tid-1"
+            },
+            {
+                "key": "ipaddr",
+                "value": ""
+            },
+            {
+                "key": "wids",
+                "value": "sample-wids"
+            },
+            {
+                "key": "InvitationId",
+                "value": "sample-invitation-id-1"
+            },
+            {
+                "key": "invitedUserEmailAddress",
+                "value": "john.doe_sample@domain.com"
+            }
+        ]
+    },
+    {
+        "id": "ProvisioningManagement_sample-id_3",
+        "category": "ProvisioningManagement",
+        "correlationId": "sample-correlation-id-3",
+        "result": "success",
+        "resultReason": "User 'sample.user@domain.com' was deleted in Microsoft Entra ID",
+        "activityDisplayName": "Export",
+        "activityDateTime": "2024-09-14T00:44:55.9931961Z",
+        "TimeGenerated": "2024-09-14T00:44:55.9931961Z",
+        "loggedByService": "Account Provisioning",
+        "operationType": "",
+        "initiatedBy": {
+            "user": null,
+            "app": {
+                "appId": null,
+                "displayName": "Azure AD Cloud Sync",
+                "servicePrincipalId": null,
+                "servicePrincipalName": null
+            }
+        },
+        "targetResources": [
+            {
+                "id": "sample-resource-id-3",
+                "displayName": "Sample cross-tenant",
+                "type": "ServicePrincipal",
+                "userPrincipalName": null,
+                "groupType": null,
+                "modifiedProperties": []
+            },
+            {
+                "id": null,
+                "displayName": "sample.user@domain.com",
+                "type": "User",
+                "userPrincipalName": null,
+                "groupType": null,
+                "modifiedProperties": []
+            }
+        ],
+        "additionalDetails": [
+            {
+                "key": "Details",
+                "value": ""
+            },
+            {
+                "key": "ErrorCode",
+                "value": ""
+            },
+            {
+                "key": "EventName",
+                "value": "EntryExportDelete"
+            },
+            {
+                "key": "ipaddr",
+                "value": null
+            },
+            {
+                "key": "JoiningProperty",
+                "value": "[Type: 5, Identity Provider: , Key: sample-key]"
+            },
+            {
+                "key": "oid",
+                "value": null
+            },
+            {
+                "key": "SourceAnchor",
+                "value": "sample-source-anchor"
+            },
+            {
+                "key": "TargetAnchor",
+                "value": "sample-target-anchor"
+            },
+            {
+                "key": "tid",
+                "value": null
+            },
+            {
+                "key": "wids",
+                "value": null
+            }
+        ]
+    },
+    {
+        "id": "ProvisioningManagement_sample-id_4",
+        "category": "ProvisioningManagement",
+        "correlationId": "sample-correlation-id-4",
+        "result": "failure",
+        "resultReason": "Failed to update User 'jane.doe@domain.com'; Error: The domain portion of the userPrincipalName property is invalid.",
+        "activityDisplayName": "Export",
+        "activityDateTime": "2024-09-14T00:44:54.7303184Z",
+        "TimeGenerated": "2024-09-14T00:44:54.7303184Z",
+        "loggedByService": "Account Provisioning",
+        "operationType": "",
+        "initiatedBy": {
+            "user": null,
+            "app": {
+                "appId": null,
+                "displayName": "Azure AD Cloud Sync",
+                "servicePrincipalId": null,
+                "servicePrincipalName": null
+            }
+        },
+        "targetResources": [
+            {
+                "id": "sample-resource-id-4",
+                "displayName": "Sample cross-tenant",
+                "type": "ServicePrincipal",
+                "userPrincipalName": null,
+                "groupType": null,
+                "modifiedProperties": [
+                    {
+                        "displayName": "streetAddress",
+                        "oldValue": null,
+                        "newValue": "\"123 Sample St\""
+                    },
+                    {
+                        "displayName": "city",
+                        "oldValue": null,
+                        "newValue": "\"Sample City\""
+                    },
+                    {
+                        "displayName": "state",
+                        "oldValue": null,
+                        "newValue": "\"Sample State\""
+                    },
+                    {
+                        "displayName": "postalCode",
+                        "oldValue": null,
+                        "newValue": "\"12345\""
+                    },
+                    {
+                        "displayName": "companyName",
+                        "oldValue": null,
+                        "newValue": "\"Sample Company\""
+                    },
+                    {
+                        "displayName": "jobTitle",
+                        "oldValue": null,
+                        "newValue": "\"Sample Title\""
+                    }
+                ]
+            }
+        ],
+        "additionalDetails": []
+    }
+]
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json
new file mode 100644
index 00000000000..7d8f5cf6aac
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json
@@ -0,0 +1,294 @@
+[
+    {
+        "CreationTime": "2024-09-17T00:29:25",
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "Id": "sample-id-1",
+        "Operation": "UserLoggedIn",
+        "OrganizationId": "sample-org-id-1",
+        "RecordType": 15,
+        "ResultStatus": "Success",
+        "UserKey": "sample-user-key-1",
+        "UserType": 0,
+        "Version": 1,
+        "Workload": "AzureActiveDirectory",
+        "ClientIP": "0.0.0.0",
+        "ObjectId": "Unknown",
+        "UserId": "sample.user@domain.com",
+        "AzureActiveDirectoryEventType": 1,
+        "ExtendedProperties": [
+            {
+                "Name": "ResultStatusDetail",
+                "Value": "Success"
+            },
+            {
+                "Name": "UserAgent",
+                "Value": "Apple-iPad14C6/2107.93"
+            },
+            {
+                "Name": "UserAuthenticationMethod",
+                "Value": "4194304"
+            },
+            {
+                "Name": "RequestType",
+                "Value": "OAuth2:Token"
+            }
+        ],
+        "ModifiedProperties": [],
+        "Actor": [
+            {
+                "ID": "sample-user-key-1",
+                "Type": 0
+            },
+            {
+                "ID": "sample.user@domain.com",
+                "Type": 5
+            }
+        ],
+        "ActorContextId": "sample-org-id-1",
+        "ActorIpAddress": "0.0.0.0",
+        "InterSystemsId": "sample-intersystems-id-1",
+        "IntraSystemId": "sample-id-1",
+        "SupportTicketId": "",
+        "Target": [
+            {
+                "ID": "Unknown",
+                "Type": 0
+            }
+        ],
+        "TargetContextId": "sample-org-id-1",
+        "ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
+        "DeviceProperties": [
+            {
+                "Name": "OS",
+                "Value": "Ios"
+            },
+            {
+                "Name": "BrowserType",
+                "Value": "Other"
+            },
+            {
+                "Name": "SessionId",
+                "Value": "sample-session-id-1"
+            }
+        ],
+        "ErrorNumber": "0"
+    },
+    {
+        "CreationTime": "2024-09-17T00:30:25",
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "Id": "sample-id-2",
+        "Operation": "UserLoggedIn",
+        "OrganizationId": "sample-org-id-1",
+        "RecordType": 15,
+        "ResultStatus": "Success",
+        "UserKey": "sample-user-key-2",
+        "UserType": 0,
+        "Version": 1,
+        "Workload": "AzureActiveDirectory",
+        "ClientIP": "0:0:0:0:0:0:0:0",
+        "ObjectId": "sample-object-id-2",
+        "UserId": "sample.user@domain.com",
+        "AzureActiveDirectoryEventType": 1,
+        "ExtendedProperties": [
+            {
+                "Name": "ResultStatusDetail",
+                "Value": "Redirect"
+            },
+            {
+                "Name": "UserAgent",
+                "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
+            },
+            {
+                "Name": "RequestType",
+                "Value": "OAuth2:Authorize"
+            }
+        ],
+        "ModifiedProperties": [],
+        "Actor": [
+            {
+                "ID": "sample-user-key-2",
+                "Type": 0
+            },
+            {
+                "ID": "sample.user@domain.com",
+                "Type": 5
+            }
+        ],
+        "ActorContextId": "sample-org-id-1",
+        "ActorIpAddress": "0:0:0:0:0:0:0:0",
+        "InterSystemsId": "sample-intersystems-id-2",
+        "IntraSystemId": "sample-id-2",
+        "SupportTicketId": "",
+        "Target": [
+            {
+                "ID": "sample-object-id-2",
+                "Type": 0
+            }
+        ],
+        "TargetContextId": "sample-org-id-1",
+        "ApplicationId": "sample-application-id-2",
+        "DeviceProperties": [
+            {
+                "Name": "OS",
+                "Value": "Windows10"
+            },
+            {
+                "Name": "BrowserType",
+                "Value": "Edge"
+            },
+            {
+                "Name": "SessionId",
+                "Value": "sample-session-id-2"
+            }
+        ],
+        "ErrorNumber": "0"
+    },
+    {
+        "CreationTime": "2024-09-17T00:26:56",
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "Id": "sample-id-3",
+        "Operation": "UserLoggedIn",
+        "OrganizationId": "sample-org-id-1",
+        "RecordType": 15,
+        "ResultStatus": "Success",
+        "UserKey": "sample-user-key-3",
+        "UserType": 0,
+        "Version": 1,
+        "Workload": "AzureActiveDirectory",
+        "ClientIP": "0:0:0:0:0:0:0:0",
+        "ObjectId": "Unknown",
+        "UserId": "sample.user@domain.com",
+        "AzureActiveDirectoryEventType": 1,
+        "ExtendedProperties": [
+            {
+                "Name": "ResultStatusDetail",
+                "Value": "Success"
+            },
+            {
+                "Name": "UserAgent",
+                "Value": "Apple-iPhone13C2/2107.93"
+            },
+            {
+                "Name": "UserAuthenticationMethod",
+                "Value": "4194304"
+            },
+            {
+                "Name": "RequestType",
+                "Value": "OAuth2:Token"
+            }
+        ],
+        "ModifiedProperties": [],
+        "Actor": [
+            {
+                "ID": "sample-user-key-3",
+                "Type": 0
+            },
+            {
+                "ID": "sample.user@domain.com",
+                "Type": 5
+            }
+        ],
+        "ActorContextId": "sample-org-id-1",
+        "ActorIpAddress": "0:0:0:0:0:0:0:0",
+        "InterSystemsId": "sample-intersystems-id-3",
+        "IntraSystemId": "sample-id-3",
+        "SupportTicketId": "",
+        "Target": [
+            {
+                "ID": "Unknown",
+                "Type": 0
+            }
+        ],
+        "TargetContextId": "sample-org-id-1",
+        "ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
+        "DeviceProperties": [
+            {
+                "Name": "OS",
+                "Value": "Ios"
+            },
+            {
+                "Name": "BrowserType",
+                "Value": "Other"
+            },
+            {
+                "Name": "SessionId",
+                "Value": "sample-session-id-3"
+            }
+        ],
+        "ErrorNumber": "0"
+    },
+    {
+        "CreationTime": "2024-09-17T00:28:55",
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "Id": "sample-id-4",
+        "Operation": "UserLoggedIn",
+        "OrganizationId": "sample-org-id-1",
+        "RecordType": 15,
+        "ResultStatus": "Success",
+        "UserKey": "sample-user-key-4",
+        "UserType": 0,
+        "Version": 1,
+        "Workload": "AzureActiveDirectory",
+        "ClientIP": "0:0:0:0:0:0:0:0",
+        "ObjectId": "Unknown",
+        "UserId": "sample.user@domain.com",
+        "AzureActiveDirectoryEventType": 1,
+        "ExtendedProperties": [
+            {
+                "Name": "ResultStatusDetail",
+                "Value": "Success"
+            },
+            {
+                "Name": "UserAgent",
+                "Value": "Apple-iPhone14C6/2107.93"
+            },
+            {
+                "Name": "UserAuthenticationMethod",
+                "Value": "4194304"
+            },
+            {
+                "Name": "RequestType",
+                "Value": "OAuth2:Token"
+            }
+        ],
+        "ModifiedProperties": [],
+        "Actor": [
+            {
+                "ID": "sample-user-key-4",
+                "Type": 0
+            },
+            {
+                "ID": "sample.user@domain.com",
+                "Type": 5
+            }
+        ],
+        "ActorContextId": "sample-org-id-1",
+        "ActorIpAddress": "0:0:0:0:0:0:0:0",
+        "InterSystemsId": "sample-intersystems-id-4",
+        "IntraSystemId": "sample-id-4",
+        "SupportTicketId": "",
+        "Target": [
+            {
+                "ID": "Unknown",
+                "Type": 0
+            }
+        ],
+        "TargetContextId": "sample-org-id-1",
+        "ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
+        "DeviceProperties": [
+            {
+                "Name": "OS",
+                "Value": "Ios"
+            },
+            {
+                "Name": "BrowserType",
+                "Value": "Other"
+            },
+            {
+                "Name": "SessionId",
+                "Value": "sample-session-id-4"
+            }
+        ],
+        "ErrorNumber": "0"
+    }
+]
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json
new file mode 100644
index 00000000000..49818f544c4
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json
@@ -0,0 +1,146 @@
+[
+    {
+        "id": "SIGNIN_ID_PLACEHOLDER_1",
+        "createdDateTime": "2024-09-13T01:13:51Z",
+        "userDisplayName": "User Placeholder",
+        "userPrincipalName": "user@example.com",
+        "userId": "USER_ID_PLACEHOLDER_1",
+        "appId": "APP_ID_PLACEHOLDER_1",
+        "appDisplayName": "App Placeholder",
+        "ipAddress": "IP_ADDRESS_PLACEHOLDER",
+        "clientAppUsed": "Browser",
+        "correlationId": "CORRELATION_ID_PLACEHOLDER_1",
+        "conditionalAccessStatus": "success",
+        "isInteractive": true,
+        "riskDetail": "none",
+        "riskLevelAggregated": "none",
+        "riskLevelDuringSignIn": "none",
+        "riskState": "none",
+        "riskEventTypes": [],
+        "riskEventTypes_v2": [],
+        "resourceDisplayName": "Resource Placeholder",
+        "resourceId": "RESOURCE_ID_PLACEHOLDER",
+        "status": {
+            "errorCode": 0,
+            "failureReason": "Other.",
+            "additionalDetails": "MFA requirement satisfied by claim in the token"
+        },
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "deviceDetail": {
+            "deviceId": "DEVICE_ID_PLACEHOLDER_1",
+            "displayName": "Device Placeholder",
+            "operatingSystem": "Windows10",
+            "browser": "Edge 128.0.0",
+            "isCompliant": true,
+            "isManaged": true,
+            "trustType": "Azure AD joined"
+        },
+        "location": {
+            "city": "City Placeholder",
+            "state": "State Placeholder",
+            "countryOrRegion": "Country Placeholder",
+            "geoCoordinates": {
+                "altitude": null,
+                "latitude": 0.00000,
+                "longitude": 0.00000
+            }
+        },
+        "appliedConditionalAccessPolicies": []
+    },
+    {
+        "id": "SIGNIN_ID_PLACEHOLDER_2",
+        "createdDateTime": "2024-09-13T01:13:48Z",
+        "userDisplayName": "User Placeholder",
+        "userPrincipalName": "user@example.com",
+        "userId": "USER_ID_PLACEHOLDER_1",
+        "appId": "APP_ID_PLACEHOLDER_1",
+        "appDisplayName": "App Placeholder",
+        "ipAddress": "IP_ADDRESS_PLACEHOLDER",
+        "clientAppUsed": "Browser",
+        "correlationId": "CORRELATION_ID_PLACEHOLDER_2",
+        "conditionalAccessStatus": "success",
+        "isInteractive": true,
+        "riskDetail": "none",
+        "riskLevelAggregated": "none",
+        "riskLevelDuringSignIn": "none",
+        "riskState": "none",
+        "riskEventTypes": [],
+        "riskEventTypes_v2": [],
+        "resourceDisplayName": "Resource Placeholder",
+        "resourceId": "RESOURCE_ID_PLACEHOLDER",
+        "status": {
+            "errorCode": 65001,
+            "failureReason": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource.",
+            "additionalDetails": "MFA requirement satisfied by claim in the token"
+        },
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "deviceDetail": {
+            "deviceId": "DEVICE_ID_PLACEHOLDER_1",
+            "displayName": "Device Placeholder",
+            "operatingSystem": "Windows10",
+            "browser": "Edge 128.0.0",
+            "isCompliant": true,
+            "isManaged": true,
+            "trustType": "Azure AD joined"
+        },
+        "location": {
+            "city": "City Placeholder",
+            "state": "State Placeholder",
+            "countryOrRegion": "Country Placeholder",
+            "geoCoordinates": {
+                "altitude": null,
+                "latitude": 0.00000,
+                "longitude": 0.00000
+            }
+        },
+        "appliedConditionalAccessPolicies": []
+    },
+    {
+        "id": "SIGNIN_ID_PLACEHOLDER_3",
+        "createdDateTime": "2024-09-13T01:13:20Z",
+        "userDisplayName": "User Placeholder",
+        "userPrincipalName": "user@example.com",
+        "userId": "USER_ID_PLACEHOLDER_1",
+        "appId": "APP_ID_PLACEHOLDER_1",
+        "appDisplayName": "App Placeholder",
+        "ipAddress": "IP_ADDRESS_PLACEHOLDER",
+        "clientAppUsed": "Browser",
+        "correlationId": "CORRELATION_ID_PLACEHOLDER_3",
+        "conditionalAccessStatus": "success",
+        "isInteractive": true,
+        "riskDetail": "none",
+        "riskLevelAggregated": "none",
+        "riskLevelDuringSignIn": "none",
+        "riskState": "none",
+        "riskEventTypes": [],
+        "riskEventTypes_v2": [],
+        "resourceDisplayName": "Resource Placeholder",
+        "resourceId": "RESOURCE_ID_PLACEHOLDER",
+        "status": {
+            "errorCode": 0,
+            "failureReason": "Other.",
+            "additionalDetails": "MFA requirement satisfied by claim in the token"
+        },
+        "TimeGenerated": "2024-09-13T01:13:17Z",
+        "deviceDetail": {
+            "deviceId": "DEVICE_ID_PLACEHOLDER_1",
+            "displayName": "Device Placeholder",
+            "operatingSystem": "Windows10",
+            "browser": "Edge 128.0.0",
+            "isCompliant": true,
+            "isManaged": true,
+            "trustType": "Azure AD joined"
+        },
+        "location": {
+            "city": "City Placeholder",
+            "state": "State Placeholder",
+            "countryOrRegion": "Country Placeholder",
+            "geoCoordinates": {
+                "altitude": null,
+                "latitude": 0.00000,
+                "longitude": 0.00000
+            }
+        },
+        "appliedConditionalAccessPolicies": []
+    }
+]
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1
new file mode 100644
index 00000000000..617f3bc6e48
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1
@@ -0,0 +1,33 @@
+# Prompt for tenantId, clientId, and clientSecret
+$tenantId = Read-Host -Prompt "Enter Tenant ID"
+$clientId = Read-Host -Prompt "Enter Client ID"
+$clientSecret = Read-Host -Prompt "Enter Client Secret Value"
+
+# Get an OAuth token for the API
+$body = @{
+    grant_type    = "client_credentials"
+    resource      = "https://manage.office.com"
+    client_id     = $clientId
+    client_secret = $clientSecret
+}
+
+$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Body $body
+$token = $tokenResponse.access_token
+
+# Check the subscription status
+$headers = @{
+    Authorization = "Bearer $token"
+}
+
+$uri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/list"
+$subscriptions = Invoke-RestMethod -Uri $uri -Headers $headers
+$subscriptions
+
+# Define the URL for starting the subscription
+$startUri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory"
+
+# Start the subscription
+$startSubscription = Invoke-RestMethod -Uri $startUri -Headers $headers -Method POST
+
+# Output the result
+$startSubscription
diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json
new file mode 100644
index 00000000000..4fc210da162
--- /dev/null
+++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json
@@ -0,0 +1,482 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "AS-Microsoft-DCR-Log-Ingestion", 
+        "description": "This playbook is intended to be run ",
+        "preDeployment": ["App registration", "Data collection Endpoints", "Data Collection Rules", "Azure Keyvault Secret"],
+        "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook"],
+        "lastUpdateTime": "2024-08-21T17:48:00Z",
+        "tags": ["Microsoft Graph", "Microsoft Office"], 
+        "support": {
+            "tier": "partner"
+        },
+        "author": {
+            "name": "Accelerynt"
+        }
+    },
+    "parameters": {
+        "PlaybookName": {
+            "defaultValue": "AS-Microsoft-DCR-Log-Ingestion",
+            "type": "string",
+            "metadata": {
+                "description": "Name of the Logic App resource to be created"
+            }
+        },
+        "SendingAppRegistrationTenantId": {
+            "type": "string",
+            "metadata" : {
+                "description" : "Enter the Directory (tenant) Id of the App Registration that will be used to send data"
+            }
+        },
+        "SendingAppRegistrationClientID": {
+            "type": "string",
+            "metadata" : {
+                "description" : "Enter the Application (client) ID of the App Registration that will be used to send data"
+            }
+        },
+        "SendingTenantSubscriptionID": {
+            "type": "string",
+            "metadata" : {
+                "description" : "Enter the subscription ID for the tenant that will send the data"
+            }
+        },
+        "ReceivingAppRegistrationClientID": {
+            "type": "string",
+            "metadata" : {
+                "description" : "Enter the Application (client) ID of the App Registration that will be used to receive data"
+            }
+        },
+        "KeyVaultName": {
+            "type": "string",
+            "metadata" : {
+                "description" : "Name of the Key Vault that stores the App Registration client secrets"
+            }
+        },
+        "SendingAppRegistrationKeyVaultSecretName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of Key Vault Secret that contains the sending App Registration client secret"
+            }
+        },
+        "ReceivingAppRegistrationKeyVaultSecretName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of Key Vault Secret that contains the receiving App Registration client secret"
+            }
+        },
+        "EntraSignInLogsIngestionURL": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the Logs Ingestion URL from the EntraSignInLogs DCE"
+            }
+        },
+        "EntraSignInLogsImmutableId": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the ImmutableId from the EntraSignInLogs DCR"
+            }
+        },
+        "EntraSignInLogsDataSource": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the data source from the EntraSignInLogs DCR"
+            }
+        },
+        "EntraAuditLogsIngestionURL": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the Logs Ingestion URL from the EntraAuditLogs DCE"
+            }
+        },
+        "EntraAuditLogsImmutableId": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the ImmutableId from the EntraAuditLogs DCR"
+            }
+        },
+        "EntraAuditLogsDataSource": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the data source from the EntraAuditLogs DCR"
+            }
+        },
+        "OfficeActivityIngestionURL": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the Logs Ingestion URL from the OfficeActivty DCE"
+            }
+        },
+        "OfficeActivtyImmutableId": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the ImmutableId from the OfficeActivty DCR"
+            }
+        },
+        "OfficeActivtyDataSource": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter the data source from the OfficeActivty DCR"
+            }
+        }
+    },
+    "variables": {
+        "keyvault": "[concat('keyvault-', parameters('PlaybookName'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('keyvault')]",
+            "location": "[resourceGroup().location]",
+            "kind": "V1",
+            "properties": {
+                "displayName": "[parameters('PlaybookName')]",
+                "parameterValueType": "Alternative",
+                "alternativeParameterValues": {
+                    "vaultName": "[parameters('KeyVaultName')]"
+                },
+                "customParameterValues": {
+                },
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Logic/workflows",
+            "apiVersion": "2017-07-01",
+            "name": "[parameters('PlaybookName')]",
+            "location": "[resourceGroup().location]",
+            "tags": {
+                "LogicAppsCategory": "security"
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/connections', variables('keyvault'))]"
+            ],
+            "properties": {
+                "state": "Disabled",
+                "definition": {
+                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {
+                        "$connections": {
+                            "defaultValue": {},
+                            "type": "Object"
+                        }
+                    },
+                    "triggers": {
+                        "Recurrence": {
+                            "evaluatedRecurrence": {
+                                "frequency": "Minute",
+                                "interval": 5
+                            },
+                            "recurrence": {
+                                "frequency": "Minute",
+                                "interval": 5
+                            },
+                            "type": "Recurrence"
+                        }
+                    },
+                    "actions": {
+                        "For_Each_-_O365_Audit_Logs": {
+                            "actions": {
+                                "For_each_-_Content_URI_Item": {
+                                    "actions": {
+                                        "HTTP_-_Send_Data_to_Office_Activity_Logs_Data_Collection_Endpoint": {
+                                            "inputs": {
+                                                "body": [
+                                                    "@items('For_each_-_Content_URI_Item')"
+                                                ],
+                                                "headers": {
+                                                    "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint')?['access_token']}",
+                                                    "Content-Length": "@{length(string(items('For_each_-_Content_URI_Item')))}",
+                                                    "Content-Type": "application/json",
+                                                    "Host": "[parameters('OfficeActivityIngestionURL')]"
+                                                },
+                                                "method": "POST",
+                                                "uri": "[concat(parameters('OfficeActivityIngestionURL'), '/dataCollectionRules/', parameters('OfficeActivtyImmutableId'), '/streams/', parameters('OfficeActivtyDataSource'), '?api-version=2023-01-01')]"
+                                            },
+                                            "runAfter": {},
+                                            "type": "Http"
+                                        }
+                                    },
+                                    "foreach": "@json(body('HTTP_-_Get_O365_Content'))",
+                                    "runAfter": {
+                                        "HTTP_-_Get_O365_Content": [
+                                            "Succeeded"
+                                        ]
+                                    },
+                                    "type": "Foreach"
+                                },
+                                "HTTP_-_Get_O365_Content": {
+                                    "inputs": {
+                                        "authentication": {
+                                            "audience": "https://manage.office.com",
+                                            "clientId": "[parameters('SendingAppRegistrationClientID')]",
+                                            "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}",
+                                            "tenant": "[parameters('SendingAppRegistrationTenantId')]",
+                                            "type": "ActiveDirectoryOAuth"
+                                        },
+                                        "method": "GET",
+                                        "uri": "@{items('For_Each_-_O365_Audit_Logs')?['contentUri']}"
+                                    },
+                                    "runAfter": {},
+                                    "type": "Http"
+                                }
+                            },
+                            "foreach": "@body('HTTP_-_Get_O365_Audit_General_Logs')",
+                            "runAfter": {
+                                "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "For_each_-_Entra_Audit_Logs": {
+                            "actions": {
+                                "HTTP_-_Send_Data_to_Entra_Audit_Log_Data_Collection_Endpoint": {
+                                    "inputs": {
+                                        "body": [
+                                            "@items('For_each_-_Entra_Audit_Logs')"
+                                        ],
+                                        "headers": {
+                                            "Authorization": "Bearer @{body('HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint')?['access_token']}",
+                                            "Content-Length": "@{length(string(items('For_each_-_Entra_Audit_Logs')))}",
+                                            "Content-Type": "application/json",
+                                            "Host": "[parameters('EntraAuditLogsIngestionURL')]"
+                                        },
+                                        "method": "POST",
+                                        "uri": "[concat(parameters('EntraAuditLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraAuditLogsImmutableId'), '/streams/', parameters('EntraAuditLogsDataSource'), '?api-version=2023-01-01')]"
+                                    },
+                                    "runAfter": {},
+                                    "type": "Http"
+                                }
+                            },
+                            "foreach": "@body('HTTP_-_Get_Entra_Audit_Logs')?['value']",
+                            "runAfter": {
+                                "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "For_each_-_Entra_Sign_in_Logs": {
+                            "actions": {
+                                "HTTP_-_Send_Data_to_SignInLog_Data_Collection_Endpoint": {
+                                    "inputs": {
+                                        "body": [
+                                            "@items('For_each_-_Entra_Sign_in_Logs')"
+                                        ],
+                                        "headers": {
+                                            "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint')?['access_token']}",
+                                            "Content-Length": "@{length(string(items('For_each_-_Entra_Sign_in_Logs')))}",
+                                            "Content-Type": "application/json",
+                                            "Host": "[parameters('EntraSignInLogsIngestionURL')]"
+                                        },
+                                        "method": "POST",
+                                        "uri": "[concat(parameters('EntraSignInLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraSignInLogsImmutableId'), '/streams/', parameters('EntraSignInLogsDataSource'), '?api-version=2023-01-01')]"
+                                    },
+                                    "runAfter": {},
+                                    "type": "Http"
+                                }
+                            },
+                            "foreach": "@body('HTTP_-_Get_Entra_SignIn_Logs')?['value']",
+                            "runAfter": {
+                                "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": {
+                            "inputs": {
+                                "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]",
+                                "headers": {
+                                    "Content-Type": "application/x-www-form-urlencoded"
+                                },
+                                "method": "POST",
+                                "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]"
+                            },
+                            "runAfter": {
+                                "HTTP_-_Get_Entra_Audit_Logs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": {
+                            "inputs": {
+                                "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]",
+                                "headers": {
+                                    "Content-Type": "application/x-www-form-urlencoded"
+                                },
+                                "method": "POST",
+                                "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]"
+                            },
+                            "runAfter": {
+                                "HTTP_-_Get_O365_Audit_General_Logs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": {
+                            "inputs": {
+                                "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]",
+                                "headers": {
+                                    "Content-Type": "application/x-www-form-urlencoded"
+                                },
+                                "method": "POST",
+                                "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]"
+                            },
+                            "runAfter": {
+                                "HTTP_-_Get_Entra_SignIn_Logs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "HTTP_-_Get_Entra_Audit_Logs": {
+                            "inputs": {
+                                "authentication": {
+                                    "audience": "https://graph.microsoft.com",
+                                    "clientId": "[parameters('SendingAppRegistrationClientID')]",
+                                    "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}",
+                                    "tenant": "[parameters('SendingAppRegistrationTenantId')]",
+                                    "type": "ActiveDirectoryOAuth"
+                                },
+                                "headers": {
+                                    "Accept": "application/json",
+                                    "Content-Type": "application/json"
+                                },
+                                "method": "GET",
+                                "uri": "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge @{addMinutes(variables('UTCNow'), -5)}"
+                            },
+                            "runAfter": {
+                                "Get_Receiving_App_Registration_Client_Secret": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "HTTP_-_Get_Entra_SignIn_Logs": {
+                            "inputs": {
+                                "authentication": {
+                                    "audience": "https://graph.microsoft.com",
+                                    "clientId": "[parameters('SendingAppRegistrationClientID')]",
+                                    "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}",
+                                    "tenant": "[parameters('SendingAppRegistrationTenantId')]",
+                                    "type": "ActiveDirectoryOAuth"
+                                },
+                                "headers": {
+                                    "Accept": "application/json",
+                                    "Content-Type": "application/json"
+                                },
+                                "method": "GET",
+                                "uri": "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge @{addMinutes(variables('UTCNow'), -5)}"
+                            },
+                            "runAfter": {
+                                "For_each_-_Entra_Audit_Logs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "HTTP_-_Get_O365_Audit_General_Logs": {
+                            "inputs": {
+                                "authentication": {
+                                    "audience": "https://manage.office.com",
+                                    "clientId": "[parameters('SendingAppRegistrationClientID')]",
+                                    "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}",
+                                    "tenant": "[parameters('SendingAppRegistrationTenantId')]",
+                                    "type": "ActiveDirectoryOAuth"
+                                },
+                                "headers": {
+                                    "Accept": "application/json",
+                                    "Content-Type": "application/json"
+                                },
+                                "method": "GET",
+                                "uri": "[concat('https://manage.office.com/api/v1.0/', parameters('SendingTenantSubscriptionID'),'/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&PublisherIdentifier=Microsoft?&startTime=@{addMinutes(variables(''UTCNow''), -5)}&endTime=@{variables(''UTCNow'')}')]"
+                            },
+                            "runAfter": {
+                                "For_each_-_Entra_Sign_in_Logs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Http"
+                        },
+                        "Initialize_variable_-_UTC_Now": {
+                            "description": "Get the current time stamp so it is the same in all references",
+                            "inputs": {
+                                "variables": [
+                                    {
+                                        "name": "UTCNow",
+                                        "type": "string",
+                                        "value": "@{utcNow()}"
+                                    }
+                                ]
+                            },
+                            "runAfter": {},
+                            "type": "InitializeVariable"
+                        },
+                        "Get_Sending_App_Registration_Client_Secret": {
+                            "runAfter": {
+                                "Initialize_variable_-_UTC_Now": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['keyvault']['connectionId']"
+                                    }
+                                },
+                                "method": "get",
+                                "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('SendingAppRegistrationKeyVaultSecretName'), ''')}/value')]"
+                            }
+                        },
+                        "Get_Receiving_App_Registration_Client_Secret": {
+                            "runAfter": {
+                                "Get_Sending_App_Registration_Client_Secret": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['keyvault']['connectionId']"
+                                    }
+                                },
+                                "method": "get",
+                                "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('ReceivingAppRegistrationKeyVaultSecretName'), ''')}/value')]"
+                            }
+                        }
+                    },
+                    "outputs": {}
+                },
+                "parameters": {
+                    "$connections": {
+                        "value": {
+                            "keyvault": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]",
+                                "connectionName": "[variables('keyvault')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]",
+                                "connectionProperties": {
+                                    "authentication": {
+                                        "type": "ManagedServiceIdentity"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}
diff --git a/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip
new file mode 100644
index 00000000000..9f034c2efbc
Binary files /dev/null and b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip differ
diff --git a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip b/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip
deleted file mode 100644
index 95b538b7762..00000000000
Binary files a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip and /dev/null differ
diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json
index 837be74ed75..e8ff60960c0 100644
--- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json
+++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json
@@ -2,13 +2,13 @@
     "$schema":  "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion":  "1.0.0.0",
     "metadata":  {
-        "title":  "",
-        "description":  "",
+        "title":  "MTI Threat Actor Lookup",
+        "description":  "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API",
         "prerequisites":  "",
         "postDeployment":  [
         ],
         "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "",
+        "lastUpdateTime":  "2024-10-18T09:44:59Z",
         "entities":  [
         ],
         "tags":  [
@@ -18,18 +18,24 @@
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
         },
         "author":  {
-            "name":  ""
+            "name":  "Geoff Roote"
         }
     },
     "parameters":  {
         "PlaybookName":  {
             "defaultValue":  "MDTI-Actor-LookupV2",
             "type":  "string"
+        },
+        "Function App URL":  {
+            "type":  "String",
+            "metadata":  {
+                "description":  "Enter value for Function App URL"
+            }
         }
     },
     "variables":  {
         "MicrosoftSentinelConnectionName":  "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
-        "azuresentinelConnectionName":  "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "AzuresentinelConnectionName":  "[concat('Azuresentinel-', parameters('PlaybookName'))]",
         "SecuritycopilotConnectionName":  "[concat('Securitycopilot-', parameters('PlaybookName'))]",
         "KeyvaultConnectionName":  "[concat('Keyvault-', parameters('PlaybookName'))]"
     },
@@ -46,6 +52,10 @@
                             "defaultValue":  {
                             },
                             "type":  "Object"
+                        },
+                        "Function App URL":  {
+                            "defaultValue":  "[parameters('Function App URL')]",
+                            "type":  "String"
                         }
                     },
                     "triggers":  {
@@ -121,7 +131,7 @@
                                         },
                                         "Compose_2":  {
                                             "type":  "Compose",
-                                            "inputs":  "@concat(string(body('Parse_JSON_1')?['name']), ', ', string(body('Parse_JSON_1')?['description']))"
+                                            "inputs":  "@concat(string(item()?['name']), ', ', string(item()?['description']))"
                                         },
                                         "Condition_2":  {
                                             "actions":  {
@@ -147,21 +157,9 @@
                                                     }
                                                 },
                                                 "Compose_3":  {
-                                                    "runAfter":  {
-                                                        "Join_1":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
                                                     "type":  "Compose",
                                                     "inputs":  "@body('Join_1')"
                                                 },
-                                                "Join_1":  {
-                                                    "type":  "Join",
-                                                    "inputs":  {
-                                                        "from":  "@variables('entity_host')",
-                                                        "joinWith":  "\n"
-                                                    }
-                                                },
                                                 "Submit_a_Copilot_for_Security_prompt_2":  {
                                                     "runAfter":  {
                                                         "Compose_3":  [
@@ -213,7 +211,7 @@
                                                 }
                                             },
                                             "runAfter":  {
-                                                "Append_to_array_variable_1":  [
+                                                "Join_1":  [
                                                     "Succeeded"
                                                 ]
                                             },
@@ -232,6 +230,18 @@
                                                 ]
                                             },
                                             "type":  "If"
+                                        },
+                                        "Join_1":  {
+                                            "runAfter":  {
+                                                "Append_to_array_variable_1":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Join",
+                                            "inputs":  {
+                                                "from":  "@variables('entity_host')",
+                                                "joinWith":  "\n"
+                                            }
                                         }
                                     },
                                     "runAfter":  {
@@ -355,7 +365,7 @@
                                         },
                                         "Compose":  {
                                             "type":  "Compose",
-                                            "inputs":  "@concat(string(body('Parse_JSON')?['name']), ', ', string(body('Parse_JSON')?['description']))"
+                                            "inputs":  "@concat(string(item()?['name']), ', ', string(item()?['description']))"
                                         },
                                         "Condition_1":  {
                                             "actions":  {
@@ -381,21 +391,9 @@
                                                     }
                                                 },
                                                 "Compose_1":  {
-                                                    "runAfter":  {
-                                                        "Join":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
                                                     "type":  "Compose",
                                                     "inputs":  "replace(replace(body('Join'), 'Cyber Threat Intelligence', ''), ',', '')"
                                                 },
-                                                "Join":  {
-                                                    "type":  "Join",
-                                                    "inputs":  {
-                                                        "from":  "@variables('entity_ip')",
-                                                        "joinWith":  "\n"
-                                                    }
-                                                },
                                                 "Submit_a_Copilot_for_Security_prompt_1":  {
                                                     "runAfter":  {
                                                         "Compose_1":  [
@@ -447,7 +445,7 @@
                                                 }
                                             },
                                             "runAfter":  {
-                                                "Append_to_array_variable":  [
+                                                "Join":  [
                                                     "Succeeded"
                                                 ]
                                             },
@@ -466,6 +464,18 @@
                                                 ]
                                             },
                                             "type":  "If"
+                                        },
+                                        "Join":  {
+                                            "runAfter":  {
+                                                "Append_to_array_variable":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Join",
+                                            "inputs":  {
+                                                "from":  "@variables('entity_ip')",
+                                                "joinWith":  "\n"
+                                            }
                                         }
                                     },
                                     "runAfter":  {
@@ -572,111 +582,222 @@
                         "For_each_3":  {
                             "foreach":  "@body('Entities_-_Get_IPs')?['IPs']",
                             "actions":  {
-                                "Append_to_array_variable_3":  {
-                                    "runAfter":  {
-                                        "Function_App_call":  [
-                                            "Succeeded"
-                                        ]
-                                    },
-                                    "type":  "AppendToArrayVariable",
+                                "Function_App_call":  {
+                                    "type":  "Http",
                                     "inputs":  {
-                                        "name":  "groups",
-                                        "value":  "@body('Function_App_call')"
-                                    }
+                                        "uri":  "@{parameters('Function App URL')}item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}",
+                                        "method":  "POST"
+                                    },
+                                    "operationOptions":  "DisableAsyncPattern"
                                 },
-                                "For_each_7":  {
-                                    "foreach":  "@variables('groups')",
+                                "Condition_3":  {
                                     "actions":  {
-                                        "Compose_6":  {
-                                            "type":  "Compose",
-                                            "inputs":  "@split(items('For_each_7'), ', ')\r\n"
+                                        "Parse_JSON_3":  {
+                                            "type":  "ParseJson",
+                                            "inputs":  {
+                                                "content":  "@body('Function_App_call')",
+                                                "schema":  {
+                                                    "type":  "array",
+                                                    "items":  {
+                                                        "type":  "string"
+                                                    }
+                                                }
+                                            }
                                         },
-                                        "Compose_7":  {
+                                        "Select_1":  {
                                             "runAfter":  {
-                                                "Compose_6":  [
+                                                "Parse_JSON_3":  [
                                                     "Succeeded"
                                                 ]
                                             },
-                                            "type":  "Compose",
-                                            "inputs":  "@first(outputs('Compose_6'))\r\n"
+                                            "type":  "Select",
+                                            "inputs":  {
+                                                "from":  "@body('Parse_JSON_3')",
+                                                "select":  {
+                                                    "Group":  "@split(item(), ',')[0]"
+                                                }
+                                            }
+                                        },
+                                        "Select_2":  {
+                                            "runAfter":  {
+                                                "Compose_4":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Select",
+                                            "inputs":  {
+                                                "from":  "@body('Parse_JSON_3')",
+                                                "select":  {
+                                                    "Group":  "@split(item(), ',')[0]",
+                                                    "Domain":  "@split(item(), ',')[1]"
+                                                }
+                                            }
                                         },
-                                        "Condition":  {
+                                        "For_each_5":  {
+                                            "foreach":  "@body('Select_2')",
                                             "actions":  {
-                                                "Add_comment_to_incident_(V3)_1":  {
-                                                    "runAfter":  {
-                                                        "Submit_a_Copilot_for_Security_prompt":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
-                                                    "type":  "ApiConnection",
+                                                "Append_to_array_variable_3":  {
+                                                    "type":  "AppendToArrayVariable",
                                                     "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                        "name":  "groups",
+                                                        "value":  "@items('For_each_5')"
+                                                    }
+                                                }
+                                            },
+                                            "runAfter":  {
+                                                "Select_2":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Foreach"
+                                        },
+                                        "Compose_4":  {
+                                            "runAfter":  {
+                                                "Select_1":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Compose",
+                                            "inputs":  "@union(body('Select_1'), body('Select_1'))"
+                                        }
+                                    },
+                                    "runAfter":  {
+                                        "Function_App_call":  [
+                                            "Succeeded"
+                                        ]
+                                    },
+                                    "else":  {
+                                        "actions":  {
+                                        }
+                                    },
+                                    "expression":  {
+                                        "and":  [
+                                            {
+                                                "greater":  [
+                                                    "@length(body('Function_App_Call'))",
+                                                    2
+                                                ]
+                                            },
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@body('Function_App_call')",
+                                                        ""
+                                                    ]
+                                                }
+                                            }
+                                        ]
+                                    },
+                                    "type":  "If"
+                                },
+                                "Condition_9":  {
+                                    "actions":  {
+                                        "For_each_7":  {
+                                            "foreach":  "@outputs('Compose_4')",
+                                            "actions":  {
+                                                "Condition":  {
+                                                    "actions":  {
+                                                        "Add_comment_to_incident_(V3)_1":  {
+                                                            "runAfter":  {
+                                                                "Submit_a_Copilot_for_Security_prompt":  [
+                                                                    "Succeeded"
+                                                                ]
+                                                            },
+                                                            "type":  "ApiConnection",
+                                                            "inputs":  {
+                                                                "host":  {
+                                                                    "connection":  {
+                                                                        "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                                    }
+                                                                },
+                                                                "method":  "post",
+                                                                "body":  {
+                                                                    "incidentArmId":  "@triggerBody()?['object']?['id']",
+                                                                    "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e"
+                                                                },
+                                                                "path":  "/Incidents/Comment"
                                                             }
                                                         },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "incidentArmId":  "@triggerBody()?['object']?['id']",
-                                                            "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e"
-                                                        },
-                                                        "path":  "/Incidents/Comment"
-                                                    }
-                                                },
-                                                "Add_comment_to_incident_(V3)_4":  {
-                                                    "runAfter":  {
-                                                        "Add_comment_to_incident_(V3)_1":  [
-                                                            "Succeeded"
-                                                        ]
+                                                        "Submit_a_Copilot_for_Security_prompt":  {
+                                                            "type":  "ApiConnection",
+                                                            "inputs":  {
+                                                                "host":  {
+                                                                    "connection":  {
+                                                                        "name":  "@parameters('$connections')['securitycopilot']['connectionId']"
+                                                                    }
+                                                                },
+                                                                "method":  "post",
+                                                                "body":  {
+                                                                    "PromptContent":  "Provide a summary for actor group @{items('For_each_7')}"
+                                                                },
+                                                                "path":  "/process-prompt"
+                                                            }
+                                                        }
                                                     },
-                                                    "type":  "ApiConnection",
-                                                    "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                    "else":  {
+                                                        "actions":  {
+                                                        }
+                                                    },
+                                                    "expression":  {
+                                                        "and":  [
+                                                            {
+                                                                "not":  {
+                                                                    "equals":  [
+                                                                        "@items('For_each_7')",
+                                                                        ""
+                                                                    ]
+                                                                }
+                                                            },
+                                                            {
+                                                                "contains":  [
+                                                                    "@items('For_each_7')",
+                                                                    "Group"
+                                                                ]
                                                             }
-                                                        },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "incidentArmId":  "@triggerBody()?['object']?['id']",
-                                                            "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table')}\u003c/p\u003e"
-                                                        },
-                                                        "path":  "/Incidents/Comment"
-                                                    }
-                                                },
-                                                "Create_HTML_table":  {
-                                                    "type":  "Table",
-                                                    "inputs":  {
-                                                        "from":  "@variables('groups')",
-                                                        "format":  "HTML"
-                                                    }
-                                                },
-                                                "Submit_a_Copilot_for_Security_prompt":  {
-                                                    "runAfter":  {
-                                                        "Create_HTML_table":  [
-                                                            "Succeeded"
                                                         ]
                                                     },
-                                                    "type":  "ApiConnection",
-                                                    "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['securitycopilot']['connectionId']"
-                                                            }
-                                                        },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "PromptContent":  "Provide a summary for actor group @{outputs('Compose_7')}"
-                                                        },
-                                                        "path":  "/process-prompt"
+                                                    "type":  "If"
+                                                }
+                                            },
+                                            "type":  "Foreach"
+                                        },
+                                        "Create_HTML_table_2":  {
+                                            "runAfter":  {
+                                                "For_each_7":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Table",
+                                            "inputs":  {
+                                                "from":  "@variables('groups')",
+                                                "format":  "HTML"
+                                            }
+                                        },
+                                        "Add_comment_to_incident_(V3)_4":  {
+                                            "runAfter":  {
+                                                "Create_HTML_table_2":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "ApiConnection",
+                                            "inputs":  {
+                                                "host":  {
+                                                    "connection":  {
+                                                        "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
                                                     }
                                                 },
+                                                "method":  "post",
+                                                "body":  {
+                                                    "incidentArmId":  "@triggerBody()?['object']?['id']",
+                                                    "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_2')}\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
+                                                },
+                                                "path":  "/Incidents/Comment"
+                                            }
+                                        },
+                                        "For_each_9":  {
+                                            "foreach":  "@body('Select_1')",
+                                            "actions":  {
                                                 "Update_incident_1":  {
-                                                    "runAfter":  {
-                                                        "Add_comment_to_incident_(V3)_4":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
                                                     "type":  "ApiConnection",
                                                     "inputs":  {
                                                         "host":  {
@@ -690,7 +811,7 @@
                                                             "tagsToAdd":  {
                                                                 "TagsToAdd":  [
                                                                     {
-                                                                        "Tag":  "@outputs('Compose_7')"
+                                                                        "Tag":  "@item()['Group']"
                                                                     }
                                                                 ]
                                                             },
@@ -702,61 +823,43 @@
                                                 }
                                             },
                                             "runAfter":  {
-                                                "Compose_7":  [
+                                                "Add_comment_to_incident_(V3)_4":  [
                                                     "Succeeded"
                                                 ]
                                             },
-                                            "else":  {
-                                                "actions":  {
-                                                }
-                                            },
-                                            "expression":  {
-                                                "and":  [
-                                                    {
-                                                        "not":  {
-                                                            "equals":  [
-                                                                "@outputs('Compose_7')",
-                                                                ""
-                                                            ]
-                                                        }
-                                                    },
-                                                    {
-                                                        "not":  {
-                                                            "equals":  [
-                                                                "@length(outputs('Compose_7'))",
-                                                                0
-                                                            ]
-                                                        }
-                                                    }
-                                                ]
-                                            },
-                                            "type":  "If"
+                                            "type":  "Foreach"
                                         }
                                     },
                                     "runAfter":  {
-                                        "Append_to_array_variable_3":  [
+                                        "Condition_3":  [
                                             "Succeeded"
                                         ]
                                     },
-                                    "type":  "Foreach"
-                                },
-                                "Function_App_call":  {
-                                    "type":  "Http",
-                                    "inputs":  {
-                                        "uri":  "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}",
-                                        "method":  "POST"
-                                    },
-                                    "runtimeConfiguration":  {
-                                        "contentTransfer":  {
-                                            "transferMode":  "Chunked"
-                                        },
-                                        "secureData":  {
-                                            "properties":  [
-                                                "inputs",
-                                                "outputs"
-                                            ]
+                                    "else":  {
+                                        "actions":  {
                                         }
-                                    }
+                                    },
+                                    "expression":  {
+                                        "and":  [
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@body('Select_1')",
+                                                        ""
+                                                    ]
+                                                }
+                                            },
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@length(variables('groups'))",
+                                                        0
+                                                    ]
+                                                }
+                                            }
+                                        ]
+                                    },
+                                    "type":  "If"
                                 }
                             },
                             "runAfter":  {
@@ -764,116 +867,232 @@
                                     "Succeeded"
                                 ]
                             },
-                            "type":  "Foreach"
+                            "type":  "Foreach",
+                            "runtimeConfiguration":  {
+                                "concurrency":  {
+                                    "repetitions":  1
+                                }
+                            }
                         },
                         "For_each_3-copy":  {
                             "foreach":  "@body('Entities_-_Get_Hosts')?['Hosts']",
                             "actions":  {
-                                "Append_to_array_variable_4":  {
-                                    "runAfter":  {
-                                        "Function_App_call_1":  [
-                                            "Succeeded"
-                                        ]
-                                    },
-                                    "type":  "AppendToArrayVariable",
+                                "Function_App_call_1":  {
+                                    "type":  "Http",
                                     "inputs":  {
-                                        "name":  "hostpivot",
-                                        "value":  "@body('Function_App_call_1')"
-                                    }
+                                        "uri":  "@{parameters('Function App URL')}item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}",
+                                        "method":  "POST"
+                                    },
+                                    "operationOptions":  "DisableAsyncPattern"
                                 },
-                                "For_each_8":  {
-                                    "foreach":  "@variables('hostpivot')",
+                                "Condition_5":  {
                                     "actions":  {
-                                        "Compose_8":  {
-                                            "type":  "Compose",
-                                            "inputs":  "@split(items('For_each_8'), ', ')\r\n"
+                                        "Parse_JSON_2":  {
+                                            "type":  "ParseJson",
+                                            "inputs":  {
+                                                "content":  "@body('Function_App_call_1')",
+                                                "schema":  {
+                                                    "type":  "array",
+                                                    "items":  {
+                                                        "type":  "string"
+                                                    }
+                                                }
+                                            }
                                         },
-                                        "Compose_9":  {
+                                        "Select":  {
                                             "runAfter":  {
-                                                "Compose_8":  [
+                                                "Parse_JSON_2":  [
                                                     "Succeeded"
                                                 ]
                                             },
-                                            "type":  "Compose",
-                                            "inputs":  "@first(outputs('Compose_8'))\r\n"
+                                            "type":  "Select",
+                                            "inputs":  {
+                                                "from":  "@body('Parse_JSON_2')",
+                                                "select":  {
+                                                    "Group":  "@split(item(), ',')[0]"
+                                                }
+                                            }
+                                        },
+                                        "Select_4":  {
+                                            "runAfter":  {
+                                                "Compose_5":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Select",
+                                            "inputs":  {
+                                                "from":  "@body('Parse_JSON_2')",
+                                                "select":  {
+                                                    "Group":  "@split(item(), ',')[0]",
+                                                    "Domain":  "@split(item(), ',')[1]"
+                                                }
+                                            }
                                         },
-                                        "Condition_4":  {
+                                        "For_each_1":  {
+                                            "foreach":  "@body('Select_4')",
                                             "actions":  {
-                                                "Add_comment_to_incident_(V3)_5":  {
-                                                    "runAfter":  {
-                                                        "Submit_a_Copilot_for_Security_prompt_4":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
-                                                    "type":  "ApiConnection",
+                                                "Append_to_array_variable_2":  {
+                                                    "type":  "AppendToArrayVariable",
                                                     "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                        "name":  "hostpivot",
+                                                        "value":  "@items('For_each_1')"
+                                                    }
+                                                }
+                                            },
+                                            "runAfter":  {
+                                                "Select_4":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Foreach"
+                                        },
+                                        "Compose_5":  {
+                                            "runAfter":  {
+                                                "Select":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Compose",
+                                            "inputs":  "@union(body('Select'), body('Select'))"
+                                        }
+                                    },
+                                    "runAfter":  {
+                                        "Function_App_call_1":  [
+                                            "Succeeded"
+                                        ]
+                                    },
+                                    "else":  {
+                                        "actions":  {
+                                        }
+                                    },
+                                    "expression":  {
+                                        "and":  [
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@body('Function_App_call_1')",
+                                                        ""
+                                                    ]
+                                                }
+                                            },
+                                            {
+                                                "greater":  [
+                                                    "@length(body('Function_App_Call_1'))",
+                                                    2
+                                                ]
+                                            }
+                                        ]
+                                    },
+                                    "type":  "If"
+                                },
+                                "Condition_8":  {
+                                    "actions":  {
+                                        "For_each_8":  {
+                                            "foreach":  "@outputs('Compose_5')",
+                                            "actions":  {
+                                                "Condition_4":  {
+                                                    "actions":  {
+                                                        "Add_comment_to_incident_(V3)_5":  {
+                                                            "runAfter":  {
+                                                                "Submit_a_Copilot_for_Security_prompt_4":  [
+                                                                    "Succeeded"
+                                                                ]
+                                                            },
+                                                            "type":  "ApiConnection",
+                                                            "inputs":  {
+                                                                "host":  {
+                                                                    "connection":  {
+                                                                        "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                                    }
+                                                                },
+                                                                "method":  "post",
+                                                                "body":  {
+                                                                    "incidentArmId":  "@triggerBody()?['object']?['id']",
+                                                                    "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_8')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e"
+                                                                },
+                                                                "path":  "/Incidents/Comment"
                                                             }
                                                         },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "incidentArmId":  "@triggerBody()?['object']?['id']",
-                                                            "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_9')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e"
-                                                        },
-                                                        "path":  "/Incidents/Comment"
-                                                    }
-                                                },
-                                                "Add_comment_to_incident_(V3)_6":  {
-                                                    "runAfter":  {
-                                                        "Add_comment_to_incident_(V3)_5":  [
-                                                            "Succeeded"
-                                                        ]
+                                                        "Submit_a_Copilot_for_Security_prompt_4":  {
+                                                            "type":  "ApiConnection",
+                                                            "inputs":  {
+                                                                "host":  {
+                                                                    "connection":  {
+                                                                        "name":  "@parameters('$connections')['securitycopilot']['connectionId']"
+                                                                    }
+                                                                },
+                                                                "method":  "post",
+                                                                "body":  {
+                                                                    "PromptContent":  "Provide a summary for actor group @{items('For_each_8')}"
+                                                                },
+                                                                "path":  "/process-prompt"
+                                                            }
+                                                        }
                                                     },
-                                                    "type":  "ApiConnection",
-                                                    "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                    "else":  {
+                                                        "actions":  {
+                                                        }
+                                                    },
+                                                    "expression":  {
+                                                        "and":  [
+                                                            {
+                                                                "not":  {
+                                                                    "equals":  [
+                                                                        "@items('For_each_8')",
+                                                                        ""
+                                                                    ]
+                                                                }
+                                                            },
+                                                            {
+                                                                "contains":  [
+                                                                    "@items('For_each_8')",
+                                                                    "Group"
+                                                                ]
                                                             }
-                                                        },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "incidentArmId":  "@triggerBody()?['object']?['id']",
-                                                            "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e"
-                                                        },
-                                                        "path":  "/Incidents/Comment"
-                                                    }
-                                                },
-                                                "Create_HTML_table_1":  {
-                                                    "type":  "Table",
-                                                    "inputs":  {
-                                                        "from":  "@variables('hostpivot')",
-                                                        "format":  "HTML"
-                                                    }
-                                                },
-                                                "Submit_a_Copilot_for_Security_prompt_4":  {
-                                                    "runAfter":  {
-                                                        "Create_HTML_table_1":  [
-                                                            "Succeeded"
                                                         ]
                                                     },
-                                                    "type":  "ApiConnection",
-                                                    "inputs":  {
-                                                        "host":  {
-                                                            "connection":  {
-                                                                "name":  "@parameters('$connections')['securitycopilot']['connectionId']"
-                                                            }
-                                                        },
-                                                        "method":  "post",
-                                                        "body":  {
-                                                            "PromptContent":  "Provide a summary for actor group @{outputs('Compose_9')}"
-                                                        },
-                                                        "path":  "/process-prompt"
+                                                    "type":  "If"
+                                                }
+                                            },
+                                            "type":  "Foreach"
+                                        },
+                                        "Create_HTML_table_1":  {
+                                            "runAfter":  {
+                                                "For_each_8":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "Table",
+                                            "inputs":  {
+                                                "from":  "@variables('hostpivot')",
+                                                "format":  "HTML"
+                                            }
+                                        },
+                                        "Add_comment_to_incident_(V3)_6":  {
+                                            "runAfter":  {
+                                                "Create_HTML_table_1":  [
+                                                    "Succeeded"
+                                                ]
+                                            },
+                                            "type":  "ApiConnection",
+                                            "inputs":  {
+                                                "host":  {
+                                                    "connection":  {
+                                                        "name":  "@parameters('$connections')['azuresentinel']['connectionId']"
                                                     }
                                                 },
-                                                "Update_incident_4":  {
-                                                    "runAfter":  {
-                                                        "Add_comment_to_incident_(V3)_6":  [
-                                                            "Succeeded"
-                                                        ]
-                                                    },
+                                                "method":  "post",
+                                                "body":  {
+                                                    "incidentArmId":  "@triggerBody()?['object']?['id']",
+                                                    "message":  "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e"
+                                                },
+                                                "path":  "/Incidents/Comment"
+                                            }
+                                        },
+                                        "For_each_10":  {
+                                            "foreach":  "@body('Select')",
+                                            "actions":  {
+                                                "Update_incident_3":  {
                                                     "type":  "ApiConnection",
                                                     "inputs":  {
                                                         "host":  {
@@ -887,7 +1106,7 @@
                                                             "tagsToAdd":  {
                                                                 "TagsToAdd":  [
                                                                     {
-                                                                        "Tag":  "@outputs('Compose_9')"
+                                                                        "Tag":  "@item()['Group']"
                                                                     }
                                                                 ]
                                                             },
@@ -899,61 +1118,43 @@
                                                 }
                                             },
                                             "runAfter":  {
-                                                "Compose_9":  [
+                                                "Add_comment_to_incident_(V3)_6":  [
                                                     "Succeeded"
                                                 ]
                                             },
-                                            "else":  {
-                                                "actions":  {
-                                                }
-                                            },
-                                            "expression":  {
-                                                "and":  [
-                                                    {
-                                                        "not":  {
-                                                            "equals":  [
-                                                                "@outputs('Compose_9')",
-                                                                ""
-                                                            ]
-                                                        }
-                                                    },
-                                                    {
-                                                        "not":  {
-                                                            "equals":  [
-                                                                "@length(outputs('Compose_9'))",
-                                                                0
-                                                            ]
-                                                        }
-                                                    }
-                                                ]
-                                            },
-                                            "type":  "If"
+                                            "type":  "Foreach"
                                         }
                                     },
                                     "runAfter":  {
-                                        "Append_to_array_variable_4":  [
+                                        "Condition_5":  [
                                             "Succeeded"
                                         ]
                                     },
-                                    "type":  "Foreach"
-                                },
-                                "Function_App_call_1":  {
-                                    "type":  "Http",
-                                    "inputs":  {
-                                        "uri":  "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}",
-                                        "method":  "POST"
-                                    },
-                                    "runtimeConfiguration":  {
-                                        "contentTransfer":  {
-                                            "transferMode":  "Chunked"
-                                        },
-                                        "secureData":  {
-                                            "properties":  [
-                                                "inputs",
-                                                "outputs"
-                                            ]
+                                    "else":  {
+                                        "actions":  {
                                         }
-                                    }
+                                    },
+                                    "expression":  {
+                                        "and":  [
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@body('Select')",
+                                                        ""
+                                                    ]
+                                                }
+                                            },
+                                            {
+                                                "not":  {
+                                                    "equals":  [
+                                                        "@length(variables('hostpivot'))",
+                                                        0
+                                                    ]
+                                                }
+                                            }
+                                        ]
+                                    },
+                                    "type":  "If"
                                 }
                             },
                             "runAfter":  {
@@ -963,20 +1164,6 @@
                             },
                             "type":  "Foreach"
                         },
-                        "Get_secret":  {
-                            "runAfter":  {
-                            },
-                            "type":  "ApiConnection",
-                            "inputs":  {
-                                "host":  {
-                                    "connection":  {
-                                        "name":  "@parameters('$connections')['Keyvault']['connectionId']"
-                                    }
-                                },
-                                "method":  "get",
-                                "path":  "/secrets/@{encodeURIComponent('MDTI-Function-App')}/value"
-                            }
-                        },
                         "Initialize_variable":  {
                             "runAfter":  {
                                 "Entities_-_Get_IPs":  [
@@ -1082,6 +1269,20 @@
                                     "triggerName":  "manual"
                                 }
                             }
+                        },
+                        "Get_secret":  {
+                            "runAfter":  {
+                            },
+                            "type":  "ApiConnection",
+                            "inputs":  {
+                                "host":  {
+                                    "connection":  {
+                                        "name":  "@parameters('$connections')['keyvault']['connectionId']"
+                                    }
+                                },
+                                "method":  "get",
+                                "path":  "/secrets/@{encodeURIComponent('MechanicsDemo-AzureFunction')}/value"
+                            }
                         }
                     },
                     "outputs":  {
@@ -1093,29 +1294,24 @@
                             "azuresentinel":  {
                                 "connectionId":  "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
                                 "connectionName":  "[variables('MicrosoftSentinelConnectionName')]",
-                                "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+                                "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
                                 "connectionProperties":  {
                                     "authentication":  {
                                         "type":  "ManagedServiceIdentity"
                                     }
                                 }
                             },
-                            "azuresentinel1":  {
-                                "connectionId":  "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]",
-                                "connectionName":  "[variables('azuresentinelConnectionName')]",
-                                "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
-                                "connectionProperties":  {
-                                    "authentication":  {
-                                        "type":  "ManagedServiceIdentity"
-                                    }
-                                }
+                            "azuresentinel":  {
+                                "connectionId":  "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
+                                "connectionName":  "[variables('AzuresentinelConnectionName')]",
+                                "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
                             },
                             "securitycopilot":  {
                                 "connectionId":  "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]",
                                 "connectionName":  "[variables('SecuritycopilotConnectionName')]",
                                 "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"
                             },
-                            "":  {
+                            "keyvault":  {
                                 "connectionId":  "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
                                 "connectionName":  "[variables('KeyvaultConnectionName')]",
                                 "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
@@ -1133,6 +1329,9 @@
             "type":  "Microsoft.Logic/workflows",
             "location":  "[resourceGroup().location]",
             "tags":  {
+                "CreatedDate":  "10/17/2024 5:09:07 PM",
+                "Created By":  "u1126",
+                "CreatorUPN":  "u1126@a.alpineskihouse.co",
                 "hidden-SentinelTemplateName":  "MDTI-Actor-LookupV2",
                 "hidden-SentinelTemplateVersion":  "1.0"
             },
@@ -1142,7 +1341,7 @@
             "apiVersion":  "2017-07-01",
             "dependsOn":  [
                 "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]",
+                "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
                 "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]",
                 "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
             ]
@@ -1159,23 +1358,22 @@
                 },
                 "parameterValueType":  "Alternative",
                 "api":  {
-                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
                 }
             }
         },
         {
             "type":  "Microsoft.Web/connections",
             "apiVersion":  "2016-06-01",
-            "name":  "[variables('azuresentinelConnectionName')]",
+            "name":  "[variables('AzuresentinelConnectionName')]",
             "location":  "[resourceGroup().location]",
             "kind":  "V1",
             "properties":  {
-                "displayName":  "[variables('azuresentinelConnectionName')]",
+                "displayName":  "[variables('AzuresentinelConnectionName')]",
                 "customParameterValues":  {
                 },
-                "parameterValueType":  "Alternative",
                 "api":  {
-                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
                 }
             }
         },
diff --git a/Playbooks/MDTI-Actor-Lookup/function_app.py b/Playbooks/MDTI-Actor-Lookup/function_app.py
index 14bb5e95689..0d8a5e04aa4 100644
--- a/Playbooks/MDTI-Actor-Lookup/function_app.py
+++ b/Playbooks/MDTI-Actor-Lookup/function_app.py
@@ -75,6 +75,7 @@ def list_grab(item):
             logging.info(f"Fetched {len(artifact_ids)} artifacts, total so far: {len(artifact_list)}")
         else:
             logging.warning(f"'value' key not found in response: {data}")
+            continue
         
         # Check for the presence of @odata.nextLink
         services = data.get('@odata.nextLink', None)
diff --git a/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv
new file mode 100644
index 00000000000..089e7a41a86
--- /dev/null
+++ b/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv	
@@ -0,0 +1,1002 @@
+TenantId,TimeGenerated [UTC],SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationPackageName,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,IpAddress,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,ParentProcessName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,Status,SubjectAccount,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,SubjectLogonId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubjectUserSid,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonId,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,EventLevelName,EventOriginId,MG,TimeCollected [UTC],ManagementGroupName,SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,Type,_ResourceId
+,"10/18/2024, 9:29:21.125 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weatheronline,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{594619fc-5ff6-449c-8620-ebd41c2f919b},720,8812,3287814,SecurityEvent,
+,"10/18/2024, 9:29:23.016 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weischermedia,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9fc1700-34da-4cf1-8065-fa485f6c43c7},720,8812,3287816,SecurityEvent,
+,"10/18/2024, 9:29:24.750 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webakebread,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3ca13f6e-a784-4cf3-8e56-e080b658d931},720,8812,3287818,SecurityEvent,
+,"10/18/2024, 9:29:26.429 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehousing,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23550e9b-b74b-4597-b4da-431e95519db6},720,8812,3287820,SecurityEvent,
+,"10/18/2024, 9:29:26.984 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,40.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rivaldiputrad,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8939b926-3750-4850-826d-7e7191bc2e11},720,8812,3287822,SecurityEvent,
+,"10/18/2024, 9:29:27.397 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.166,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,onurakgonen,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{265a5c98-e82b-4c6b-9634-893a1e6b571b},720,8812,3287824,SecurityEvent,
+,"10/18/2024, 9:29:27.570 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,tconway29,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff168f91-ea77-48c9-af46-243b155955f6},720,8812,3287826,SecurityEvent,
+,"10/18/2024, 9:29:28.248 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webagenturnord,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{625c3c21-9bd9-4c7d-8b16-88141ce6d00c},720,8812,3287828,SecurityEvent,
+,"10/18/2024, 9:29:29.912 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wembli,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7e099f2-c467-4f12-86ae-ff2d320a51bb},720,8812,3287830,SecurityEvent,
+,"10/18/2024, 9:29:31.594 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westpro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{20fcea2b-dc49-4993-8d06-1971ae3d7156},720,8812,3287834,SecurityEvent,
+,"10/18/2024, 9:29:33.241 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weathercraft,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c81b67e-ec66-4491-8f3b-c78e506bcb0c},720,8812,3287836,SecurityEvent,
+,"10/18/2024, 9:29:34.913 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wedj,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8412ad2c-80ec-48c1-858a-496c408e583e},720,8812,3287838,SecurityEvent,
+,"10/18/2024, 9:29:36.571 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellpartner,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{720a257c-1f76-4110-aa72-6a9698cf82e5},720,8812,3287840,SecurityEvent,
+,"10/18/2024, 9:29:38.221 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webtimeclock,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bec0be8e-2eef-4db7-8f93-0b736e431c77},720,8812,3287842,SecurityEvent,
+,"10/18/2024, 9:29:31.980 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11U.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi  ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SenseIR.exe,0x1080,C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11U$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11U$,S-1-5-18,0x80090325,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,411f600a-a0a4-4572-b678-debfbf4c5d39,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:10.219 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{bb4acbd3-e3c8-4ee9-9712-655040305c2b},716,3712,11213538,SecurityEvent,
+,"10/18/2024, 9:29:40.057 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,87.120.112.181,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,devops,S-1-0-0,,,,,,,,-,,,,,,,,Number11,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{86d705c4-38c4-4c57-8f3b-fa736af419b8},720,8812,3287844,SecurityEvent,
+,"10/18/2024, 9:29:40.130 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetnoze,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e515b92-0440-4fb0-8005-823c185ad396},720,8812,3287846,SecurityEvent,
+,"10/18/2024, 9:29:41.821 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winchster,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{002d041c-aa60-4bd9-9064-bcb695dfdeb7},720,8812,3287848,SecurityEvent,
+,"10/18/2024, 9:29:43.492 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitmart,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{353df894-fa7a-46fd-b78e-c1bdefe64725},720,8812,3287850,SecurityEvent,
+,"10/18/2024, 9:29:45.114 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.161,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,shiannemilward,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7821cf6-baf9-40d1-9bc4-067f591ca3bc},720,8812,3287852,SecurityEvent,
+,"10/18/2024, 9:29:45.342 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi  ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c8,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,WORKGROUP\devops-vm$,,,WORKGROUP,,0x3e7,,,devops-vm$,S-1-5-18,,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,2,0,0x8020000000000000,{68c4274d-a32b-4f15-b3fb-218f68ed4336},720,8812,3287854,SecurityEvent,
+,"10/18/2024, 9:29:45.409 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearebattalion,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{18ed46e3-d016-4b19-a2e7-24faa424be1f},720,8812,3287859,SecurityEvent,
+,"10/18/2024, 9:29:47.079 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcoastcc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{036fe8e6-4a24-47e9-909c-7ca8441c8b38},720,4828,3287862,SecurityEvent,
+,"10/18/2024, 9:29:48.758 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webbuilders,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{346a4e53-7bd7-4ef8-a7ad-7abb447bdeed},720,4828,3287864,SecurityEvent,
+,"10/18/2024, 9:29:50.434 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wendyworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2ccd2ac-4398-4957-9113-3c7c16eea937},720,4828,3287866,SecurityEvent,
+,"10/18/2024, 9:29:52.107 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wiko,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee7b36b5-beed-463d-b6df-3f5939c46505},720,3372,3287870,SecurityEvent,
+,"10/18/2024, 9:29:53.799 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearesparks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf2116ea-cd85-4ba8-8481-52e215cf3175},720,3372,3287872,SecurityEvent,
+,"10/18/2024, 9:29:55.450 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wcyk,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1044e467-0f74-4f5e-aec2-f753e4f18142},720,3372,3287874,SecurityEvent,
+,"10/18/2024, 9:29:57.186 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whywhisper,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59782437-956a-4d29-aee1-64634b59e188},720,3372,3287876,SecurityEvent,
+,"10/18/2024, 9:29:57.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.163,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,darindelelys,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{525ae9e9-73d9-4652-a047-d0089eb0f10d},720,3372,3287878,SecurityEvent,
+,"10/18/2024, 9:29:58.834 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegewerk,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3678b4c8-e825-44aa-af69-4c86151208e9},720,3372,3287880,SecurityEvent,
+,"10/18/2024, 9:30:00.510 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webv,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa4a2b57-c766-46de-9d55-e1e90eb8a3d2},720,3372,3287882,SecurityEvent,
+,"10/18/2024, 9:30:02.160 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcon,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9268599-43eb-4a6e-acc9-f778937d920a},720,3372,3287884,SecurityEvent,
+,"10/18/2024, 9:30:03.828 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wejzfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82b390f2-28d3-47ab-9649-e1976a4f5736},720,3372,3287886,SecurityEvent,
+,"10/18/2024, 9:30:05.565 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiteoaktrans,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d933e044-b2da-4e93-b7cf-51fa8a7d96dc},720,3372,3287888,SecurityEvent,
+,"10/18/2024, 9:30:07.213 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcliff,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{026d1a7d-f823-4008-bdd0-32bb70c69728},720,3372,3287890,SecurityEvent,
+,"10/18/2024, 9:30:09.023 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whealcorp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9aee2a16-cd63-4e4f-9020-c73d2b7422e4},720,3372,3287892,SecurityEvent,
+,"10/18/2024, 9:30:10.731 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitepine-st,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b743f93d-8292-4cf7-97fb-a46f620611c7},720,3372,3287894,SecurityEvent,
+,"10/18/2024, 9:30:12.381 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webmartgifts,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5aa3df17-3c00-43f4-a302-5eb7dcc6419f},720,3372,3287896,SecurityEvent,
+,"10/18/2024, 9:30:14.315 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildcatter,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fd0a0762-46cb-4c38-92ef-abaaef2b0818},720,3372,3287898,SecurityEvent,
+,"10/18/2024, 9:30:15.966 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windrock,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04ee05a7-27ec-4bed-afb5-0062c511359b},720,3372,3287900,SecurityEvent,
+,"10/18/2024, 9:30:17.616 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winheller,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0e68126-daf2-4cf5-ad0a-0d3eb51d1d0b},720,3372,3287902,SecurityEvent,
+,"10/18/2024, 9:30:19.262 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilostar3d,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5b8003df-2750-48db-8303-334871e8a2fa},720,3372,3287904,SecurityEvent,
+,"10/18/2024, 9:30:41.419 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.165,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ikopanas,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0d8a6f7-bcc9-4e1a-bb4b-f92c8a4e0a9d},720,3372,3287936,SecurityEvent,
+,"10/18/2024, 9:30:41.556 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whishbody,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{073eeed6-1782-4689-984a-d4e6a22c592d},720,3372,3287938,SecurityEvent,
+,"10/18/2024, 9:30:43.227 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wever,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{68007e54-c372-485b-9700-b837662f5bb0},720,3372,3287940,SecurityEvent,
+,"10/18/2024, 9:30:44.892 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wflyfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ad98e0f-f138-4881-9de1-6f57722a6127},720,3372,3287942,SecurityEvent,
+,"10/18/2024, 9:30:46.563 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weighting,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66c1920b-df6f-42b8-8af4-e84019e73953},720,3372,3287944,SecurityEvent,
+,"10/18/2024, 9:30:48.338 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webbplaza,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96b655e1-19da-409b-a534-171bd2e26b02},720,3372,3287946,SecurityEvent,
+,"10/18/2024, 9:30:50.085 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welmark,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49dc8bb7-38db-42b8-8b29-4e724c3bde9d},720,3372,3287948,SecurityEvent,
+,"10/18/2024, 9:30:51.740 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winky,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{da5d2c41-461c-4080-a062-081a636cc3b2},720,3372,3287950,SecurityEvent,
+,"10/18/2024, 9:30:53.408 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wicy,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25ebb709-96b3-4d82-aaaa-925f19c9ee24},720,3372,3287952,SecurityEvent,
+,"10/18/2024, 9:30:55.061 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wingware,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06f57258-5da7-4256-822a-23505ad06639},720,3372,3287954,SecurityEvent,
+,"10/18/2024, 9:30:56.716 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wddata,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d908ea95-cf7e-4894-84f7-bd44988b1400},720,3372,3287956,SecurityEvent,
+,"10/18/2024, 9:30:58.372 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westfeild,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{01f5e379-01f6-47ab-bcca-61ee572f4738},720,3372,3287958,SecurityEvent,
+,"10/18/2024, 9:31:00.057 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weathercast,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a6b71be-6e4c-4127-8265-6b3d3087378b},720,3372,3287962,SecurityEvent,
+,"10/18/2024, 9:31:01.968 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilby,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26248b05-b224-4538-9a31-6fee0554a05d},720,3372,3287964,SecurityEvent,
+,"10/18/2024, 9:31:03.643 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westvesey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82e1418e-9573-4249-bf89-fb4b6e67d0db},720,3372,3287966,SecurityEvent,
+,"10/18/2024, 9:31:05.377 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiptydo,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a804a4b-b1a6-4af2-89e6-d887cf568fe6},720,3372,3287968,SecurityEvent,
+,"10/18/2024, 9:31:07.044 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winemingles,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{529d922e-0068-4951-8f11-28e03e0f0100},720,3800,3287970,SecurityEvent,
+,"10/18/2024, 9:31:08.698 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiskeys,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d0daf09-0170-4214-8787-b133cfbb2599},720,3800,3287972,SecurityEvent,
+,"10/18/2024, 9:31:09.936 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handlos,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{526d9366-2008-4624-9561-75e4b0548c6f},720,3800,3287974,SecurityEvent,
+,"10/18/2024, 9:31:10.352 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilcocap,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7422b08-d085-416c-a3b4-077951239d96},720,3800,3287976,SecurityEvent,
+,"10/18/2024, 9:31:11.613 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groupalchemy,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{969ef09b-ec83-42e3-abfa-754c68d72125},720,3800,3287978,SecurityEvent,
+,"10/18/2024, 9:31:12.030 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wealthtv,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed59997c-ada0-4fc3-85b9-0a55ffd92dde},720,3800,3287982,SecurityEvent,
+,"10/18/2024, 9:31:13.274 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haugbeck,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d338083-d097-428d-a65a-497b746c8af3},720,3800,3287984,SecurityEvent,
+,"10/18/2024, 9:31:13.965 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,websnoogie,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1605fecf-ba77-41d2-9998-f45c89bbeb11},720,3800,3287986,SecurityEvent,
+,"10/18/2024, 9:31:14.942 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamiltonlab,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{080992cf-fe0b-4cb5-a59d-723dd59a4566},720,3800,3287988,SecurityEvent,
+,"10/18/2024, 9:31:15.642 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werebear,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d44f2718-4c7f-4f50-b428-d663b936f745},720,3800,3287990,SecurityEvent,
+,"10/18/2024, 9:31:16.588 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handicappers,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f8a4dbca-93c8-43c3-9741-e389289b861e},720,3800,3287992,SecurityEvent,
+,"10/18/2024, 9:31:17.443 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcomp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2799ea55-3ce4-40d0-b6b3-438214423d47},720,3800,3287994,SecurityEvent,
+,"10/18/2024, 9:31:18.238 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hacku,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b7469a00-3261-4748-9d0c-724d39bf9638},720,3800,3287996,SecurityEvent,
+,"10/18/2024, 9:31:19.260 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winchoice,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{734ccf55-367e-4ed1-af2e-222222443213},720,3800,3287998,SecurityEvent,
+,"10/18/2024, 9:31:19.919 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grouplm3,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1776fa71-ddbd-4c9c-885d-76ad5130ba9f},720,3800,3288000,SecurityEvent,
+,"10/18/2024, 9:31:40.060 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,woozels,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{93373917-bd79-4c23-8163-04179c2baeaf},720,3800,3288064,SecurityEvent,
+,"10/18/2024, 9:31:40.351 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wenlight,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00a00241-6dd3-4b27-bd1e-56d955ac130c},720,3800,3288066,SecurityEvent,
+,"10/18/2024, 9:31:40.516 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtatravel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f2bad0a-37bd-4c66-8461-1da5b27446bf},720,3800,3288068,SecurityEvent,
+,"10/18/2024, 9:31:43.045 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellsplastics,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82c5ab54-fec8-4113-99cb-cbb209df068c},720,3800,3288073,SecurityEvent,
+,"10/18/2024, 9:31:43.268 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haztek,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{48ba00c9-51a4-481e-96ab-dba25836ba37},720,3800,3288075,SecurityEvent,
+,"10/18/2024, 9:31:45.520 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wendellfoster,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2b360e3-a70b-41a5-8a52-0a326bf2aaa2},720,3800,3288077,SecurityEvent,
+,"10/18/2024, 9:31:45.521 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hagley,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b4569aaa-2e84-4c19-bb24-746c780d4d36},720,3800,3288079,SecurityEvent,
+,"10/18/2024, 9:31:47.172 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weberflavors,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8431060-f4b4-43fa-921c-6ae420f90deb},720,3800,3288081,SecurityEvent,
+,"10/18/2024, 9:31:47.173 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haruo,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca069d3f-ef3d-43c1-8d2b-8f9d7592d71e},720,3800,3288083,SecurityEvent,
+,"10/18/2024, 9:31:48.945 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weber-entec,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0eb89a2-860a-4961-8359-510397604540},720,3800,3288085,SecurityEvent,
+,"10/18/2024, 9:31:48.973 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gulfisland,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa584bb5-437c-4d6e-80f3-910cf7ce679b},720,3800,3288087,SecurityEvent,
+,"10/18/2024, 9:31:50.628 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willowview,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce675d6c-4e56-4956-861c-72a47f823f83},720,3800,3288089,SecurityEvent,
+,"10/18/2024, 9:31:50.637 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gryf,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{718b657b-e2f8-4958-b1ac-fdac51be9514},720,3800,3288091,SecurityEvent,
+,"10/18/2024, 9:31:52.277 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welltechlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36774591-abe1-4559-b97f-5bf0076b8e0f},720,3800,3288093,SecurityEvent,
+,"10/18/2024, 9:31:52.313 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harwest,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{357d73fa-edd0-4795-aa91-a6d179e1e3e7},720,3800,3288095,SecurityEvent,
+,"10/18/2024, 9:31:52.705 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,107.150.56.10,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,user,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f039a3d-4ff3-4a4c-adcb-775c065b6f98},720,3800,3288097,SecurityEvent,
+,"10/18/2024, 9:31:54.027 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weldcote,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce61316b-2766-45be-a973-d031f56f84e9},720,3800,3288099,SecurityEvent,
+,"10/18/2024, 9:31:54.051 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,happycar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82bd9fc3-24fe-4c28-98e0-dbfdcd333820},720,3800,3288101,SecurityEvent,
+,"10/18/2024, 9:31:55.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wholeloans,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0dbb2b9e-c12a-4ae7-8daf-d7c83e3ae2bc},720,3800,3288103,SecurityEvent,
+,"10/18/2024, 9:31:55.714 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hasskamp,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{267bd069-5bae-4a7b-8e8e-1bc55989f742},720,3800,3288105,SecurityEvent,
+,"10/18/2024, 9:31:57.427 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guhamajumdar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f302c97-8a23-4754-8f30-13387e16e119},720,3800,3288107,SecurityEvent,
+,"10/18/2024, 9:31:57.429 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whalls,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4d08b70-2bb6-4d52-a573-f1f27eae7179},720,3800,3288109,SecurityEvent,
+,"10/18/2024, 9:31:57.757 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.161,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,Ashleighliliput,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{654b59f2-2be2-462d-88bb-21600ad585cf},720,3800,3288111,SecurityEvent,
+,"10/18/2024, 9:31:59.085 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wernz-elektro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{551e325e-9314-401c-9e04-d6f259ded957},720,3800,3288113,SecurityEvent,
+,"10/18/2024, 9:31:59.104 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harllee,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fb127c0c-4606-40ed-a715-96c84c5dd9ad},720,3800,3288115,SecurityEvent,
+,"10/18/2024, 9:32:21.032 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gussio,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91fe03fe-c59f-47a9-8888-41073efd5059},720,3800,3288168,SecurityEvent,
+,"10/18/2024, 9:32:21.565 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wigro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b363e81b-0e27-48ed-bb6b-113ef64f3ad6},720,3800,3288170,SecurityEvent,
+,"10/18/2024, 9:32:22.820 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,havens,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8311be64-a7c3-4d5c-9769-c7a0dd2fae72},720,3800,3288172,SecurityEvent,
+,"10/18/2024, 9:32:23.224 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windhill,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2d15197-4cd7-43b3-a6cf-aa5202fa83da},720,3800,3288174,SecurityEvent,
+,"10/18/2024, 9:32:24.469 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harrisontc,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{acfd8a9b-1151-41b9-b63d-308b0cd238db},720,3800,3288176,SecurityEvent,
+,"10/18/2024, 9:32:24.893 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitins,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06f774da-ec97-4b6d-b138-64ef4e0c64ec},720,3800,3288178,SecurityEvent,
+,"10/18/2024, 9:32:26.130 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growlever,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ebab87cd-8ec0-4294-b1f1-128573bd67c9},720,3800,3288180,SecurityEvent,
+,"10/18/2024, 9:32:26.566 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearetipjar,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9eaa1de0-1777-41ea-ae0c-a2a155a65d97},720,3800,3288182,SecurityEvent,
+,"10/18/2024, 9:32:27.810 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,havenyield,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dcb13e8b-56b8-413e-b22d-aac535e5f5f4},720,3800,3288184,SecurityEvent,
+,"10/18/2024, 9:32:28.279 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weselyan,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11bac52d-36d9-4426-ba5b-6b0fc3fb7cf3},720,3800,3288186,SecurityEvent,
+,"10/18/2024, 9:32:29.490 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guyviti,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adca32dc-3d0f-4949-9226-6225655b4c0c},720,3800,3288188,SecurityEvent,
+,"10/18/2024, 9:32:30.035 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wectac,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c0fa64a-92dc-48a7-91ff-466adfabd22e},720,3800,3288190,SecurityEvent,
+,"10/18/2024, 9:32:31.261 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harmonyhit,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a5c09f7-b836-4c2c-8f52-7854808407c9},720,3800,3288193,SecurityEvent,
+,"10/18/2024, 9:32:31.887 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehealth,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ff2b6c9-ccc9-4917-962c-39622f105215},720,3800,3288196,SecurityEvent,
+,"10/18/2024, 9:32:32.927 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groceryships,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f04b79be-7190-4d5a-b1dd-9af3b4653b6d},720,3800,3288198,SecurityEvent,
+,"10/18/2024, 9:32:34.882 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guebert,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{145785a7-75d5-4cd1-bc0e-6cd273d63a48},720,3800,3288200,SecurityEvent,
+,"10/18/2024, 9:32:36.549 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grisso,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af61ab80-0833-42fd-9f42-793a535e703b},720,3800,3288202,SecurityEvent,
+,"10/18/2024, 9:32:36.568 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werboff,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1eba419c-6202-463c-bbe0-267f9d2a1e5a},720,3800,3288204,SecurityEvent,
+,"10/18/2024, 9:32:38.222 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groupnec,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ae338d1-750f-4567-b1f2-2d2801fe4c2c},720,3800,3288206,SecurityEvent,
+,"10/18/2024, 9:32:38.235 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellssebring,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c3de598-c6fa-4983-92f7-c6ae146155b9},720,3800,3288208,SecurityEvent,
+,"10/18/2024, 9:32:39.964 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearegftb,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b2353fc4-4a34-4943-96ad-a0534883c76e},720,3800,3288210,SecurityEvent,
+,"10/18/2024, 9:32:40.073 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hc-carbon,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9fa929d-4261-4c8a-9a9c-4573dc4c3467},720,3800,3288212,SecurityEvent,
+,"10/18/2024, 9:32:41.629 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webfwd,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4292ed4-0613-4172-b23f-fb4801f48238},720,3800,3288214,SecurityEvent,
+,"10/18/2024, 9:32:41.747 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gweek,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{73b631b1-0f9f-40fd-97b6-cb96bb9bcbce},720,3800,3288216,SecurityEvent,
+,"10/18/2024, 9:32:43.298 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weatherwise,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b3833a11-84d6-41bf-8bc6-c074485b578c},720,3800,3288218,SecurityEvent,
+,"10/18/2024, 9:32:43.395 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamburg,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{efa404df-fd20-4776-9cc0-8a8d389b8cdb},720,3800,3288220,SecurityEvent,
+,"10/18/2024, 9:32:45.012 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whowontpay,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d596fb84-b054-4927-9e9f-dd137dae282a},720,3800,3288222,SecurityEvent,
+,"10/18/2024, 9:32:45.134 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbk,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50ca6f2c-a86a-45a2-b4fb-48ae964df5a8},720,3800,3288224,SecurityEvent,
+,"10/18/2024, 9:32:46.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windsorfoods,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a337071a-d66e-4ff0-b298-246a9940cd6a},720,3800,3288226,SecurityEvent,
+,"10/18/2024, 9:32:46.797 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardfacing,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1cc910da-45e3-4c5d-aacd-187d6a86c8d5},720,3800,3288228,SecurityEvent,
+,"10/18/2024, 9:32:48.348 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willims,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f3c127d-f160-4c4e-9356-e5735648c2df},720,3800,3288230,SecurityEvent,
+,"10/18/2024, 9:32:48.473 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,group7,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6d5bd87-2fce-4559-b14b-0ae07b2e627a},720,3800,3288232,SecurityEvent,
+,"10/18/2024, 9:32:50.037 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willamalane,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22f01e5d-c2ab-4681-965a-9166ce239a53},720,3800,3288234,SecurityEvent,
+,"10/18/2024, 9:32:50.147 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtworld,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b2fa49e-d2d8-4cd9-b60d-edc29abd5ed9},720,3800,3288236,SecurityEvent,
+,"10/18/2024, 9:32:51.732 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windsweptit,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b662e0c7-975b-4c2f-8108-8e9cb6945f67},720,3800,3288238,SecurityEvent,
+,"10/18/2024, 9:32:51.838 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtsservices,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66996b30-ab85-4a81-b2cd-3dc44d82dfd3},720,3800,3288240,SecurityEvent,
+,"10/18/2024, 9:32:53.388 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weimer,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61cd379d-6a01-4739-82f4-072f7244ccfc},720,3800,3288242,SecurityEvent,
+,"10/18/2024, 9:32:53.505 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hantge,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a85fcb54-39a7-4c49-9c08-45eee80b5641},720,3800,3288244,SecurityEvent,
+,"10/18/2024, 9:32:55.055 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetech,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dea91c8b-2373-410e-b8d1-e31dee9b26c0},720,3800,3288246,SecurityEvent,
+,"10/18/2024, 9:32:55.163 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growingbolder,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c55e5088-4c54-43c1-ad93-fd43748f5260},720,3800,3288248,SecurityEvent,
+,"10/18/2024, 9:32:55.920 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.160,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,domdring14,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4d91fcf-d8bc-4d4c-a931-fbb5e027c256},720,3800,3288250,SecurityEvent,
+,"10/18/2024, 9:32:56.805 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearebestday,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{68b6145f-8f12-41b9-aea4-a3aa4ea3da6c},720,3800,3288252,SecurityEvent,
+,"10/18/2024, 9:32:56.822 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haystravel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d30a3487-0376-42c8-a31c-8b85c097831c},720,3800,3288254,SecurityEvent,
+,"10/18/2024, 9:32:58.471 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grothjan,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1483e13-8b12-44f6-b1a7-052a6442a052},720,3800,3288256,SecurityEvent,
+,"10/18/2024, 9:32:58.519 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webdesign-grimm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{307ea978-ef58-4c49-867e-52aa17223d45},720,3800,3288258,SecurityEvent,
+,"10/18/2024, 9:32:58.663 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.165,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,oyunicin1453,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa6c7955-9202-431d-ba52-dbdbe4c450c1},720,3800,3288260,SecurityEvent,
+,"10/18/2024, 9:33:06.408 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11T.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi  ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2e4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11T$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11T$,S-1-5-18,,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,c9171ffe-8c3d-49d2-8c8b-fc5af77d39d0,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:45.173 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{f14a5193-d9b7-4119-8b21-403a50241ad7},748,3496,10779957,SecurityEvent,
+,"10/18/2024, 9:33:08.228 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11U.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi  ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11U$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11U$,S-1-5-18,0xc000006e,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,411f600a-a0a4-4572-b678-debfbf4c5d39,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:50.154 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{2ed6c066-e0b5-459b-b3fb-c21a0c64b51b},716,1404,11213676,SecurityEvent,
+,"10/18/2024, 9:33:40.544 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegebielefeld,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{95dd45bb-6b11-4f42-b84f-e8bd3d3d42d8},720,3800,3288364,SecurityEvent,
+,"10/18/2024, 9:33:40.822 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harren,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f2229eac-5065-4bf0-80a6-679d7f6a2ec6},720,3800,3288366,SecurityEvent,
+,"10/18/2024, 9:33:42.284 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westrey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8289f65d-5bfb-441e-aad1-03402cd2703a},720,3800,3288368,SecurityEvent,
+,"10/18/2024, 9:33:42.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gsignal,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{de4b3779-a758-4f3b-bfff-a8429380ae99},720,3800,3288370,SecurityEvent,
+,"10/18/2024, 9:33:43.936 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgns,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c79028b0-0611-41e5-9dc2-aa74e4e5a1a7},720,3800,3288372,SecurityEvent,
+,"10/18/2024, 9:33:44.221 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harz,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a2e1daf3-9186-4518-aee6-0dd7c4768b4c},720,3800,3288374,SecurityEvent,
+,"10/18/2024, 9:33:45.612 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,websutra,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd5ef7d6-db03-4ec2-bd52-0b2b9f747604},720,3800,3288376,SecurityEvent,
+,"10/18/2024, 9:33:45.893 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hanc-sf,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3f650d78-3b14-4fce-85f6-eb33505f721d},720,3800,3288378,SecurityEvent,
+,"10/18/2024, 9:33:47.354 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weizman,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fba5f3c6-36f1-4ee7-ba87-3aa0e6554cd7},720,3800,3288380,SecurityEvent,
+,"10/18/2024, 9:33:47.588 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtconsult,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f269e1e5-3a99-4e07-bb0f-51755927869c},720,3800,3288382,SecurityEvent,
+,"10/18/2024, 9:33:49.114 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wdp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37f051e6-8612-40a2-a4e9-536d3e32545f},720,3800,3288384,SecurityEvent,
+,"10/18/2024, 9:33:49.385 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hammerplc,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22a746b7-ed30-499d-9235-d12dcee61e4e},720,3800,3288386,SecurityEvent,
+,"10/18/2024, 9:33:50.763 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westerfield,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee8a2d09-9d11-4801-80fb-fe7bb48e9cad},720,3800,3288388,SecurityEvent,
+,"10/18/2024, 9:33:51.033 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harvestmarks,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{30fd7747-8684-43df-a585-8c2b9763d783},720,3800,3288390,SecurityEvent,
+,"10/18/2024, 9:33:52.420 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windowrama,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b59936c2-c17f-45a7-a165-0923547a2b9d},720,3800,3288392,SecurityEvent,
+,"10/18/2024, 9:33:52.690 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handkeindustrie,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5e94ec4-13e1-49aa-bfd1-808babe46bb5},720,3800,3288394,SecurityEvent,
+,"10/18/2024, 9:33:54.097 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilburellis,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2441c3c9-5aea-498f-bbbb-a33464a0e3d0},720,3800,3288396,SecurityEvent,
+,"10/18/2024, 9:33:54.351 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.166,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,vlekd,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51043640-2c1c-4a22-98d3-375c56031dce},720,3800,3288398,SecurityEvent,
+,"10/18/2024, 9:33:54.360 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handris,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26d6fc34-9fb4-4a23-a529-d61da315930d},720,3800,3288400,SecurityEvent,
+,"10/18/2024, 9:33:54.362 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.167,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,keeganwb,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1c92001a-c3cb-4352-97b9-78d7ef36f520},720,3800,3288402,SecurityEvent,
+,"10/18/2024, 9:33:54.902 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,40.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,marktuedor,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5b294528-0280-4e5a-8e09-b8d4a41537c7},720,3800,3288404,SecurityEvent,
+,"10/18/2024, 9:33:55.755 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werkt,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a5606ac-6181-48b8-8a8a-4f1a33b77630},720,3800,3288406,SecurityEvent,
+,"10/18/2024, 9:33:56.021 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gullickson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16a28754-2607-4991-9f74-1e4a9cf73b6d},720,3800,3288408,SecurityEvent,
+,"10/18/2024, 9:33:56.585 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sayers65,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e25a4519-dd69-47dd-a2b9-53996451abdc},720,3800,3288410,SecurityEvent,
+,"10/18/2024, 9:33:57.447 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wertios,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0e05192c-e535-4af2-a076-22ceb9db6c97},720,3800,3288412,SecurityEvent,
+,"10/18/2024, 9:33:57.671 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hailian,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2cfedb09-3924-4b3b-bf52-d5c8293bb734},720,3800,3288414,SecurityEvent,
+,"10/18/2024, 9:33:59.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webneed,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49283701-3569-434d-b40a-450235802733},720,3800,3288416,SecurityEvent,
+,"10/18/2024, 9:33:59.393 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,group1201,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{89352960-2e72-493d-bff0-47ea287d7735},720,3800,3288418,SecurityEvent,
+,"10/18/2024, 10:03:00.366 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildsports,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ea53d67-841a-4943-9777-1ccf1be3bda6},720,4436,3292816,SecurityEvent,
+,"10/18/2024, 10:03:01.064 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gulfexlp,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99a05f33-cff7-4c78-aa0e-de5d301a94a2},720,4436,3292818,SecurityEvent,
+,"10/18/2024, 10:03:02.046 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wczxfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4d0ccf87-9561-4752-a660-af9214e07495},720,208,3292820,SecurityEvent,
+,"10/18/2024, 10:03:02.750 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hassltd,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{81f4baa0-9573-4f12-9b46-c9c271cbe015},720,208,3292822,SecurityEvent,
+,"10/18/2024, 10:03:03.717 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welearn,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50bbcaa2-c595-426a-ab5e-7230b9ee9738},720,208,3292824,SecurityEvent,
+,"10/18/2024, 10:03:04.397 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gunnarson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c6d381b-5d4f-49e2-8605-90c7ca684003},720,208,3292826,SecurityEvent,
+,"10/18/2024, 10:03:05.496 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitecar,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c80737f8-a628-4da5-ac9f-b35c6e19e7f1},720,208,3292828,SecurityEvent,
+,"10/18/2024, 10:03:06.083 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guildery,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e428dba7-bd82-4c6d-8dd7-b13be8b89ec7},720,208,3292830,SecurityEvent,
+,"10/18/2024, 10:03:07.166 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welser,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{abce2439-a679-4d92-bc09-9f76bfcb928f},720,208,3292832,SecurityEvent,
+,"10/18/2024, 10:03:07.870 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hartian,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df4fbaef-1ae8-47d3-9f69-6da13c4cd9ab},720,208,3292834,SecurityEvent,
+,"10/18/2024, 10:03:08.827 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,widrick,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5d521701-1e5d-48ad-9b05-94a2d91a40fd},720,208,3292836,SecurityEvent,
+,"10/18/2024, 10:03:09.557 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growthprocess,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{be0cda69-2cb4-47e2-b0a4-677725b1454e},720,208,3292838,SecurityEvent,
+,"10/18/2024, 10:03:10.549 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehrkamp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43fc476b-ffa3-444b-9e58-b20cd7a7b61e},720,208,3292840,SecurityEvent,
+,"10/18/2024, 10:03:11.223 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hammerquist,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f67e9128-48df-41e3-a2cf-dc4f2441cf8b},720,208,3292842,SecurityEvent,
+,"10/18/2024, 10:03:12.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weka-media,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5e2e3c0e-aad8-4609-a62d-ee4b1bcb6926},720,208,3292844,SecurityEvent,
+,"10/18/2024, 10:03:12.901 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hashpi,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aadf1c91-d28f-4c5b-aba8-d1040c588f04},720,208,3292846,SecurityEvent,
+,"10/18/2024, 10:03:13.867 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildtrails,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c529e48-1561-4d78-b125-7dbdc8c96279},720,208,3292848,SecurityEvent,
+,"10/18/2024, 10:03:14.676 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtigrows,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a75c8c73-65e0-43ec-b12c-fcd640673ddf},720,208,3292850,SecurityEvent,
+,"10/18/2024, 10:03:15.647 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesrtchester,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{693f4436-b627-4804-962e-380af14ed731},720,208,3292852,SecurityEvent,
+,"10/18/2024, 10:03:16.323 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hayesmichael,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{01a6a3cf-89dc-4cb1-b643-ca09a71eaf67},720,208,3292854,SecurityEvent,
+,"10/18/2024, 10:03:17.305 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webcasa,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fcacacb1-4a21-4917-8a40-65b44e50dace},720,208,3292856,SecurityEvent,
+,"10/18/2024, 10:03:17.989 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gypsos,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27c2917d-a6b2-43d6-b1ab-0c19e3cf9055},720,208,3292858,SecurityEvent,
+,"10/18/2024, 10:03:19.002 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weilandworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{47d16633-eda3-4cd7-9f3b-025945b7bb40},720,208,3292860,SecurityEvent,
+,"10/18/2024, 10:03:19.667 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbus,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2d62d69-de35-42ee-b52b-e2182965e9b0},720,208,3292862,SecurityEvent,
+,"10/18/2024, 10:03:20.652 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearelatech,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{57329ff3-9ebc-4511-bfb7-bf48a3013bb8},720,208,3292864,SecurityEvent,
+,"10/18/2024, 10:03:21.409 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2out,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{703f7057-7a67-4fb4-99ad-b43d3af63235},720,208,3292866,SecurityEvent,
+,"10/18/2024, 10:03:22.342 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windation,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{385ca489-6cd5-4ede-832c-4cc0e70e75a2},720,208,3292868,SecurityEvent,
+,"10/18/2024, 10:03:23.089 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbmholdings,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25d8fbc8-84a8-4ce1-9659-add829d4939d},720,208,3292870,SecurityEvent,
+,"10/18/2024, 10:03:24.019 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weblerr,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c5940c3-4ad7-4a21-ae55-f89c0d31fcd5},720,208,3292872,SecurityEvent,
+,"10/18/2024, 10:03:24.796 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,happiestbaby,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e8586394-f2a8-48fc-a704-4b47b4e2a8da},720,208,3292874,SecurityEvent,
+,"10/18/2024, 10:03:25.684 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whatknots,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7777bdf3-534d-44b7-bfb4-371ff5f75e93},720,208,3292876,SecurityEvent,
+,"10/18/2024, 10:03:26.761 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harnel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25306541-bf86-4ea2-8766-0fa18d82e2cd},720,208,3292878,SecurityEvent,
+,"10/18/2024, 10:03:27.452 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welchosen,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52a18228-eb5f-4bec-830e-9dc16cf11a7a},720,208,3292880,SecurityEvent,
+,"10/18/2024, 10:03:28.435 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardyhalpern,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{34e30fa4-ef35-4b62-80af-24637bac234c},720,208,3292882,SecurityEvent,
+,"10/18/2024, 10:03:29.123 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegainformatik,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff572840-e5cb-4ca5-a3e8-295197ee5fec},720,208,3292884,SecurityEvent,
+,"10/18/2024, 10:03:30.107 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gringa,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd1fe7a5-c9d1-4559-9af4-369f26e53092},720,208,3292886,SecurityEvent,
+,"10/18/2024, 10:03:30.792 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werbeboten,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49be6feb-1c16-4587-9caa-d2469633ea0a},720,208,3292888,SecurityEvent,
+,"10/18/2024, 10:03:31.862 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardblue,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ab4c482-80fd-41e2-a8db-0052526637dc},720,208,3292892,SecurityEvent,
+,"10/18/2024, 10:03:32.441 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westnetworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04929cfe-05f5-41a3-a8ca-7f25658004a7},720,208,3292894,SecurityEvent,
+,"10/18/2024, 10:03:33.064 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,48.218.27.65,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,WPServer-Web01,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ac1e889-2d9d-417f-919e-107483b2a3f9},720,208,3292896,SecurityEvent,
+,"10/18/2024, 10:03:33.606 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hassenfratz,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5181d16-43b4-4158-9027-eac4b8166bc5},720,208,3292898,SecurityEvent,
+,"10/18/2024, 10:03:34.162 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welllink,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2d02e52-8376-4589-b54e-af200f459df2},720,208,3292900,SecurityEvent,
+,"10/18/2024, 10:03:35.282 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haliant,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aacfb0d9-ffa1-40c7-8538-ce12eede3c2f},720,208,3292902,SecurityEvent,
+,"10/18/2024, 10:03:35.835 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wibitsports,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9b29e47c-7c38-4d9a-a231-9a5fcd87ec86},720,208,3292904,SecurityEvent,
+,"10/18/2024, 10:03:36.946 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guestcounts,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9db4a11-59c6-454f-8d5c-94b311b326b2},720,208,3292906,SecurityEvent,
+,"10/18/2024, 10:03:37.486 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wffe,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24b1b5b2-c32d-434f-9bbd-5f19a466b789},720,208,3292908,SecurityEvent,
+,"10/18/2024, 10:03:38.608 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handeland,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4835ed8-c68a-4b48-aa51-f899c14fb44a},720,208,3292910,SecurityEvent,
+,"10/18/2024, 10:03:39.136 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesawit,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51d9d07f-d78f-425c-a229-7696d3716043},720,208,3292912,SecurityEvent,
+,"10/18/2024, 10:05:40.088 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winnfield,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{62a0074a-6af8-4947-a016-5da114c9a42b},720,208,3293219,SecurityEvent,
+,"10/18/2024, 10:05:40.659 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growthnet,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f1b1fd5-b910-42e5-9e79-fbece9536241},720,208,3293221,SecurityEvent,
+,"10/18/2024, 10:05:41.747 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesla,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a95819cb-acef-44df-910a-80e01c5a9b01},720,208,3293223,SecurityEvent,
+,"10/18/2024, 10:05:42.442 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2o-diving,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e5c64a36-9ef1-4fcf-9777-5fad15ff56b6},720,208,3293225,SecurityEvent,
+,"10/18/2024, 10:05:43.473 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a7a2af4-fb64-4c97-8981-a742c62b68cd},720,208,3293227,SecurityEvent,
+,"10/18/2024, 10:05:44.097 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grushgamer,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ccbc1e2-d8be-4ed0-ae07-b2e6caf6d561},720,208,3293229,SecurityEvent,
+,"10/18/2024, 10:05:45.263 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetnoz,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a8728480-fa12-48d5-ba23-4dbc61f65ee9},720,208,3293231,SecurityEvent,
+,"10/18/2024, 10:05:45.766 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hajir,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{be7d41d2-7d62-40b1-af28-5962211eee95},720,208,3293233,SecurityEvent,
+,"10/18/2024, 10:05:46.920 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgdr,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97aa25db-617a-4485-a064-781b03c253ae},720,208,3293235,SecurityEvent,
+,"10/18/2024, 10:05:47.417 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hakone,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e022ff2a-ec65-4164-a1fe-3a974fa46e2f},720,208,3293237,SecurityEvent,
+,"10/18/2024, 10:05:48.629 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wienecke,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f7c1e34-87e1-497f-a1b1-c7877dffb7e5},720,208,3293239,SecurityEvent,
+,"10/18/2024, 10:05:48.894 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,35.222.84.199,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,user,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17ca5599-23cb-4be7-a4df-a53150615458},720,208,3293241,SecurityEvent,
+,"10/18/2024, 10:05:49.072 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guardianlv,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cfce20f5-c254-4945-a5be-0968e1db7465},720,208,3293243,SecurityEvent,
+,"10/18/2024, 10:05:50.335 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whirelandplc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a996468c-fc91-497a-bc7d-8c2050d09fb2},720,208,3293245,SecurityEvent,
+,"10/18/2024, 10:05:50.738 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haileyville,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4fa861cd-28d5-4a17-b6dd-b155702432b1},720,208,3293247,SecurityEvent,
+,"10/18/2024, 10:05:51.989 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windlers,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf5df87e-dd55-4920-b4e6-a7dcc9a23689},720,208,3293249,SecurityEvent,
+,"10/18/2024, 10:05:52.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gynecologic,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed5d1daa-4ed8-4007-8e99-1fa62b8662f6},720,208,3293251,SecurityEvent,
+,"10/18/2024, 10:05:53.652 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webpass,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a0d0f96-69ea-4146-a2b4-5c8cf4812d81},720,208,3293253,SecurityEvent,
+,"10/18/2024, 10:05:54.295 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hagerstownwa,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23641a2c-2a52-4f87-9c06-668e646a9695},720,208,3293255,SecurityEvent,
+,"10/18/2024, 10:05:55.377 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whittmre,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{65de853c-6998-453b-91f9-31d0b6c8ab59},720,208,3293257,SecurityEvent,
+,"10/18/2024, 10:05:55.970 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growlean,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d51f9dff-0735-4109-b424-79552c962fe0},720,208,3293259,SecurityEvent,
+,"10/18/2024, 10:05:57.117 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wigan,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25346c73-66a5-40fd-8f01-14af78ba2734},720,208,3293261,SecurityEvent,
+,"10/18/2024, 10:05:57.662 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamover,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0490378-e408-4684-9de6-17dab56bfddd},720,208,3293263,SecurityEvent,
+,"10/18/2024, 10:05:58.798 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearehpg,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a83b182-bf7a-4049-bd99-d7378b60d321},720,208,3293265,SecurityEvent,
+,"10/18/2024, 10:05:59.318 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grippin,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ea34b20-32ce-4053-96cc-76db212d5bad},720,208,3293267,SecurityEvent,
+,"10/18/2024, 10:06:00.477 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westernpi,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d900579-c658-454d-ae3f-0b3628c25e41},720,208,3293269,SecurityEvent,
+,"10/18/2024, 10:06:00.995 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2flow,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ab92f70a-8895-4d89-a1db-86364bd7e022},720,208,3293271,SecurityEvent,
+,"10/18/2024, 10:06:01.839 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.160,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,waynehaylett39,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2411e007-910d-43bc-9d68-b23346878b7b},720,208,3293273,SecurityEvent,
+,"10/18/2024, 10:06:02.173 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wenneker,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8162a9f-aefd-4ae5-aaf7-9bdf06af4630},720,208,3293275,SecurityEvent,
+,"10/18/2024, 10:06:02.809 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haensel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a6dc3ea-1a4f-44fb-88cc-298fadbc76e9},720,208,3293277,SecurityEvent,
+,"10/18/2024, 10:06:03.819 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westdigital,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7c4930-28ce-4d85-b172-367c25219d46},720,208,3293279,SecurityEvent,
+,"10/18/2024, 10:06:04.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harborlink,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4ed28531-a555-4b83-b532-7127892d86e1},720,208,3293281,SecurityEvent,
+,"10/18/2024, 10:06:05.570 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whisnant,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b641fbc-926b-402c-ac86-7cb200204dfe},720,208,3293283,SecurityEvent,
+,"10/18/2024, 10:06:06.305 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grimm-co,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d461d2f-ac67-4649-8b3c-b2f28437b9a2},720,208,3293285,SecurityEvent,
+,"10/18/2024, 10:06:07.413 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weegro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{375e4e55-b01b-4884-ae22-ecd8d988eefc},720,208,3293287,SecurityEvent,
+,"10/18/2024, 10:06:07.981 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hadly,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37a0b844-e832-49c1-960d-cb7df0579df3},720,208,3293289,SecurityEvent,
+,"10/18/2024, 10:06:09.076 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgsc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8932d7fb-5629-405a-a772-2aa15eeb0296},720,208,3293291,SecurityEvent,
+,"10/18/2024, 10:06:09.642 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hasson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bc7085be-92ed-4f20-86a4-3a9255bf657f},720,208,3293293,SecurityEvent,
+,"10/18/2024, 10:06:10.879 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,widermere,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25d1d8a2-8ee2-42d9-befe-90bcdb254489},720,208,3293295,SecurityEvent,
+,"10/18/2024, 10:06:11.304 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harmonsolar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{204ad197-d0c1-4018-9cb3-33c400d56987},720,208,3293297,SecurityEvent,
+,"10/18/2024, 10:06:12.596 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willough,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f93d5420-9f6a-4465-9399-8167f6dbc987},720,208,3293299,SecurityEvent,
+,"10/18/2024, 10:06:12.961 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haas4,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5303162-c787-45f3-8d3d-b25516ed3b21},720,208,3293301,SecurityEvent,
+,"10/18/2024, 10:06:14.342 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whatnots,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{312e282e-7efa-4813-845e-aef42e8b9e1d},720,208,3293303,SecurityEvent,
+,"10/18/2024, 10:06:14.680 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardide,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{368580b8-89ff-4571-b92c-aa2b71f1c6da},720,208,3293305,SecurityEvent,
+,"10/18/2024, 10:06:16.043 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgl,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd8e2b69-66dd-46c1-aac9-d3a9b19ede5e},720,208,3293307,SecurityEvent,
+,"10/18/2024, 10:06:16.333 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtplanet,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b2f48a9-84ee-4511-959a-9f524ee37288},720,208,3293309,SecurityEvent,
+,"10/18/2024, 10:06:17.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webops,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9dd63a4-794f-4b03-9a98-b4ca8efcc466},720,208,3293311,SecurityEvent,
+,"10/18/2024, 10:06:17.982 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harrisonscott,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23c33ff5-0b95-4fd2-8fb1-82440053b887},720,208,3293313,SecurityEvent,
+,"10/18/2024, 10:06:19.501 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetch,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba15d533-8adb-42d7-abfd-242fc5a12556},720,208,3293315,SecurityEvent,
+,"10/18/2024, 10:06:19.690 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,habitheque,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1d760439-e1ba-4fbe-a2d3-315e0bed7734},720,208,3293317,SecurityEvent,
+,"10/17/2024, 4:23:40.089 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sambucos,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ddbbb8dd-3f87-498e-bb90-4ec17114f292},720,8164,3125550,SecurityEvent,
+,"10/17/2024, 4:23:40.158 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geety,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{104129de-69b8-4499-b339-746405b3d5c7},720,8164,3125552,SecurityEvent,
+,"10/17/2024, 4:23:40.981 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spreetit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{56bfa301-d54f-473f-8306-9ad256df07ac},720,8164,3125554,SecurityEvent,
+,"10/17/2024, 4:23:41.137 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electracorp,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7399e54e-0829-4c9b-80fd-dfe0f2344ea1},720,8164,3125556,SecurityEvent,
+,"10/17/2024, 4:23:41.377 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boxblaster,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b47802b6-e152-4b40-b4e9-2e661e3a523a},720,8164,3125558,SecurityEvent,
+,"10/17/2024, 4:23:41.735 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rshughes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8870c88d-948e-4639-8e5c-97763c6dd098},720,8164,3125560,SecurityEvent,
+,"10/17/2024, 4:23:42.623 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garritys,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f70cfa76-e71c-46e8-a0ac-f587966d007c},720,8164,3125562,SecurityEvent,
+,"10/17/2024, 4:23:42.792 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spiritas,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6b0bc714-7c9a-46e3-8754-0440f28adff9},720,8164,3125564,SecurityEvent,
+,"10/17/2024, 4:23:42.850 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elbi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{611e14fe-0c5f-4541-a6e5-5b69da67a013},720,8164,3125566,SecurityEvent,
+,"10/17/2024, 4:23:43.045 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgemedica,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23a10083-f673-4547-8682-f7ca84792c91},720,8164,3125568,SecurityEvent,
+,"10/17/2024, 4:23:43.398 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-esteem,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3330a871-fad7-481f-8acf-10a0f56e28c2},720,8164,3125570,SecurityEvent,
+,"10/17/2024, 4:23:44.145 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gistfood,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f84971e5-1ca1-4e74-a689-731492d08a1b},720,8164,3125572,SecurityEvent,
+,"10/17/2024, 4:23:44.459 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparxsports,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2593d07d-11d3-48bb-8d53-52d3509f95e3},720,8164,3125574,SecurityEvent,
+,"10/17/2024, 4:23:44.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echosummit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{baf5f45c-b934-4acd-aa37-323e2edb2f78},720,8164,3125576,SecurityEvent,
+,"10/17/2024, 4:23:44.762 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brunschwig,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a5d3893-4615-4ce0-bede-dabb4a6288c1},720,8164,3125578,SecurityEvent,
+,"10/17/2024, 4:23:45.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rolfsons,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{816ab1cf-05d4-495f-8fda-293b22d2c7b7},720,8164,3125580,SecurityEvent,
+,"10/17/2024, 4:23:45.613 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemstonehomes,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{901a0372-ba6c-4a6a-8a82-682982a8843b},720,8164,3125582,SecurityEvent,
+,"10/17/2024, 4:23:46.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somersetrec,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00a210f0-eeb5-41bb-b661-996eb5e87abd},720,8164,3125584,SecurityEvent,
+,"10/17/2024, 4:23:46.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econclubchi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c547bdf9-1962-4cc4-87b5-7ebcce0e2cc6},720,8164,3125586,SecurityEvent,
+,"10/17/2024, 4:23:46.416 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burnshire,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c58faaf8-a104-4513-a3e3-ed49a3cd3b5d},720,8164,3125588,SecurityEvent,
+,"10/17/2024, 4:23:46.819 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,romantisea,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6f0a58ae-144d-44ce-8361-dc1962fc6b0d},720,8164,3125590,SecurityEvent,
+,"10/17/2024, 4:23:47.767 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundtransit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{625aa9b8-9199-4eb8-a1fc-aadf2c3add81},720,8164,3125592,SecurityEvent,
+,"10/17/2024, 4:23:47.866 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,editline,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{56d5804f-b888-44f3-adf8-4fb660f4cc94},720,8164,3125594,SecurityEvent,
+,"10/17/2024, 4:23:48.070 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buena,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f114fde1-2a0e-4e7e-b86d-efa95fb59ef6},720,8164,3125596,SecurityEvent,
+,"10/17/2024, 4:23:48.277 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gears,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{997c8964-2789-4671-9ada-65bc91f8323c},720,8164,3125598,SecurityEvent,
+,"10/17/2024, 4:23:48.469 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-wire,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8ac437f-fade-45ab-ae46-ca57f23842fc},720,8164,3125600,SecurityEvent,
+,"10/17/2024, 4:23:49.459 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softgain,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2eb6a042-e3ce-4a7b-b135-80b23d1a6bd1},720,8164,3125602,SecurityEvent,
+,"10/17/2024, 4:23:49.518 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcoms,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9e3c61c-ef9b-4c2a-ac17-f86758901ead},720,8164,3125604,SecurityEvent,
+,"10/17/2024, 4:23:49.556 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gintzler,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f89029-b6b8-43c6-bf4b-b78d1b3ed286},720,8164,3125606,SecurityEvent,
+,"10/17/2024, 4:23:49.702 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,107.150.56.10,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1ff9817e-4db4-4ed5-937f-c76279752735},720,8164,3125608,SecurityEvent,
+,"10/17/2024, 4:23:49.768 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bouwbedrijf,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96ab4952-f2de-4352-9a0d-d0512308c4ba},720,8164,3125610,SecurityEvent,
+,"10/17/2024, 4:23:50.163 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rs1w,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44756aa3-f758-41c4-ba5b-f18c600597c6},720,8164,3125612,SecurityEvent,
+,"10/17/2024, 4:23:51.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spiritos,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9203f662-7f19-43da-ac8a-5044c1b8e8b8},720,8164,3125614,SecurityEvent,
+,"10/17/2024, 4:23:51.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecodistrict,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f438c3c-9d7e-4d13-81cd-901940786877},720,8164,3125616,SecurityEvent,
+,"10/17/2024, 4:23:51.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breuckelen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b3aa0df-13a9-4886-86b2-c8f3dedb2b3f},720,8164,3125618,SecurityEvent,
+,"10/17/2024, 4:23:51.817 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saidph,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17d5d97f-400c-4f4f-8936-6e27e4ef17ef},720,8164,3125620,SecurityEvent,
+,"10/17/2024, 4:23:52.052 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,girlspring,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4b708f64-ee90-427b-90b5-cb45b831f215},720,8164,3125622,SecurityEvent,
+,"10/17/2024, 4:23:52.777 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sotis,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e5c512a5-8ab9-4295-be42-8e9c13ab8c11},720,8164,3125624,SecurityEvent,
+,"10/17/2024, 4:23:52.919 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edieinc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbc274ae-9603-40ca-8a4d-576f9a5c2321},720,8164,3125626,SecurityEvent,
+,"10/17/2024, 4:23:53.083 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunuel,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0722c242-1c2a-4b6c-9505-33506711349b},720,8164,3125628,SecurityEvent,
+,"10/17/2024, 4:23:53.433 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garnerit,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6057a212-bc68-458d-8331-5889fbdf11b5},720,8164,3125630,SecurityEvent,
+,"10/17/2024, 4:23:53.471 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roizin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5cea4261-374d-4e39-8ae4-584ab46f158d},720,8164,3125632,SecurityEvent,
+,"10/17/2024, 4:23:54.568 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarlasvegas,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7c908c55-6426-4830-b9cb-1b598f8a6964},720,8164,3125634,SecurityEvent,
+,"10/17/2024, 4:23:54.594 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echofin,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51ecde13-f074-4899-9275-cb1d62796f94},720,8164,3125636,SecurityEvent,
+,"10/17/2024, 4:23:54.737 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brasingtons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16c4b491-565b-4291-8b30-34403275c4aa},720,8164,3125638,SecurityEvent,
+,"10/17/2024, 4:23:55.035 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gladis,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23e4e1e8-6d50-485c-8673-28b3d99d84c7},720,8164,3125640,SecurityEvent,
+,"10/17/2024, 4:23:55.121 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rombrascom,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ca7e41e-d53f-495c-9a08-26f20337c166},720,8164,3125642,SecurityEvent,
+,"10/17/2024, 4:23:56.232 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spurstaffing,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c0fc758-0232-4b00-9c5d-507c331e24dd},720,8164,3125644,SecurityEvent,
+,"10/17/2024, 4:23:56.244 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echeverri,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{622d6e62-041d-4ec8-bacb-fe03df9eced8},720,8164,3125646,SecurityEvent,
+,"10/17/2024, 4:23:56.388 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brewskeeball,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f48de1b1-5b19-4eab-8402-ab2d1bab556c},720,8164,3125648,SecurityEvent,
+,"10/17/2024, 4:23:56.809 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roehm,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ffccd6e-2b17-4150-ae61-54640fc75c2c},720,8164,3125650,SecurityEvent,
+,"10/17/2024, 4:23:56.923 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gersek,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a2e29f4-c339-4854-a85d-38dfc33aa882},720,8164,3125652,SecurityEvent,
+,"10/17/2024, 4:23:57.891 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soscuisine,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3fef4d42-8735-42c6-a42d-68e37d453776},720,8164,3125654,SecurityEvent,
+,"10/17/2024, 4:23:58.046 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edensjournal,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df42bef7-8d1f-4314-974e-9367ce25edf5},720,8164,3125656,SecurityEvent,
+,"10/17/2024, 4:23:58.098 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boylston,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e108cfea-cd62-4bda-b4c0-8d4e81b6344c},720,8164,3125658,SecurityEvent,
+,"10/17/2024, 4:23:58.490 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodier,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8eb17fe4-7796-461f-9ee8-a8632732d72f},720,8164,3125660,SecurityEvent,
+,"10/17/2024, 4:23:58.503 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fbf4b249-acfd-4da2-9719-df85797b3bca},720,8164,3125662,SecurityEvent,
+,"10/17/2024, 4:23:59.619 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socrystal,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ef17908d-0b96-4cc7-aa8b-9a089b9f6860},720,8164,3125664,SecurityEvent,
+,"10/17/2024, 4:23:59.749 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brienen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{87496ddb-b61a-494a-bcbe-52a44eca7e35},720,8164,3125666,SecurityEvent,
+,"10/17/2024, 4:23:59.774 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elring,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{80b02188-9013-4de2-8a8f-8b830bfbe28d},720,8164,3125668,SecurityEvent,
+,"10/17/2024, 4:23:59.859 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gc-tronic,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{861ce67a-2274-4af0-890d-e1bb6fef88d4},720,8164,3125670,SecurityEvent,
+,"10/17/2024, 4:30:20.007 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brashconcepts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac0b92a4-76cb-4d4a-9d6c-8aadc0df4037},720,4832,3127947,SecurityEvent,
+,"10/17/2024, 4:30:20.521 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elem3nt,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ecdc5db-70a2-4219-bf23-bfa0a61063ef},720,4832,3127949,SecurityEvent,
+,"10/17/2024, 4:30:20.539 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getcasely,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7147a537-36d9-4023-964b-9d87e27ff239},720,4832,3127951,SecurityEvent,
+,"10/17/2024, 4:30:20.611 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rusdun,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ef15fc6-45b6-400b-abee-6820e463e6a1},720,4832,3127953,SecurityEvent,
+,"10/17/2024, 4:30:20.625 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotlyte,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{90a5a4e2-9259-46dd-bd17-0085aa388ffe},720,4832,3127955,SecurityEvent,
+,"10/17/2024, 4:30:21.666 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burghard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d64034e7-d2f6-4103-9b7b-23cc098a56d8},720,4832,3127957,SecurityEvent,
+,"10/17/2024, 4:30:22.194 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecollections,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2b06b742-f5db-425a-b92e-8ff5353d0395},720,4832,3127959,SecurityEvent,
+,"10/17/2024, 4:30:22.286 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5c0f8af-a5cc-42bc-ab29-c99bd9ebfb7e},720,4832,3127961,SecurityEvent,
+,"10/17/2024, 4:30:22.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfactbox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c39147e5-2331-4e17-8e26-c77490aee2a9},720,4832,3127963,SecurityEvent,
+,"10/17/2024, 4:30:22.504 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalabstract,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2f8c5268-9fd7-4b4b-a9bb-d082e28804c6},720,4832,3127965,SecurityEvent,
+,"10/17/2024, 4:30:23.327 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bumble-beez,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{082f02c9-7a9d-4b29-8371-fb303b262e50},720,4832,3127967,SecurityEvent,
+,"10/17/2024, 4:30:23.375 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gettrik,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8efb57ed-0ab5-46b2-8d5f-a1fa41baa1ae},720,4832,3127969,SecurityEvent,
+,"10/17/2024, 4:30:23.857 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglebrand,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{12d2b1da-bffe-48d8-8f40-326ef4e913ab},720,4832,3127971,SecurityEvent,
+,"10/17/2024, 4:30:23.952 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sokid,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a98cc20-d86c-4a7f-9705-b34bf5b97859},720,4832,3127973,SecurityEvent,
+,"10/17/2024, 4:30:24.475 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rscsrc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c6494ec-6ea7-42ea-9d6c-217da64139ba},720,4832,3127975,SecurityEvent,
+,"10/17/2024, 4:30:24.970 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brambleenergy,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36153b5a-b280-443a-825f-59c501ba4916},720,4832,3127977,SecurityEvent,
+,"10/17/2024, 4:30:25.614 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splicetel,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{de16f4c6-bf9e-4d5e-932b-74995460753f},720,4832,3127979,SecurityEvent,
+,"10/17/2024, 4:30:25.728 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eden-services,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b45e004-853a-40c1-9288-30fec9d65df0},720,4832,3127981,SecurityEvent,
+,"10/17/2024, 4:30:25.854 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gantrex,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{869817e1-cc55-4973-844f-c987aec1fb15},720,4832,3127983,SecurityEvent,
+,"10/17/2024, 4:30:26.240 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosebaum,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c617746-56ba-40db-8b19-a3ba29aa9ccf},720,4832,3127985,SecurityEvent,
+,"10/17/2024, 4:30:26.633 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bspoketours,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2066d5e7-10ce-4fd1-a1d0-3bf3eec855b2},720,4832,3127987,SecurityEvent,
+,"10/17/2024, 4:30:27.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splendidcomms,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{315ee471-271d-49a5-ab4b-088519ab3be0},720,4832,3127989,SecurityEvent,
+,"10/17/2024, 4:30:27.389 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eduseed,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4776e21-5fd3-401f-8dca-43cb1943d9e2},720,4832,3127991,SecurityEvent,
+,"10/17/2024, 4:30:27.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamyte,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b14f21c2-c6d0-46e9-9b24-b14dd11d3935},720,4832,3127993,SecurityEvent,
+,"10/17/2024, 4:30:28.157 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabriel,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d35d73f0-b4bc-4a26-b9b5-263977af1ac4},720,4832,3127995,SecurityEvent,
+,"10/17/2024, 4:30:28.310 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandprox,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee0fbd07-5868-4572-9f96-419fed464cf6},720,4832,3127997,SecurityEvent,
+,"10/17/2024, 4:30:28.919 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sophisticode,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a06c9c15-895d-4de5-8460-f692d094708d},720,4832,3127999,SecurityEvent,
+,"10/17/2024, 4:30:29.042 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eindhoven,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6e5e7ef9-c2a7-440e-a82c-b98029eb8356},720,4832,3128001,SecurityEvent,
+,"10/17/2024, 4:30:29.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabeha,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26b813ce-6bb2-4924-a9b6-75bf1a33eade},720,4832,3128003,SecurityEvent,
+,"10/17/2024, 4:30:29.957 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandtrip,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{62e555ab-2a0a-472a-a332-27cfe70f41d7},720,4832,3128005,SecurityEvent,
+,"10/17/2024, 4:30:30.297 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getgigbook,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{349f8d1b-2592-454e-8f71-bbe1f4939ece},720,4832,3128007,SecurityEvent,
+,"10/17/2024, 4:30:30.571 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundin,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a79a8042-751c-4cc6-9819-6b0f28d6d5cb},720,4832,3128009,SecurityEvent,
+,"10/17/2024, 4:30:30.691 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastvold,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e8d70e8b-fa2e-440c-9206-e6fab7e99c47},720,4832,3128011,SecurityEvent,
+,"10/17/2024, 4:30:31.390 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getexpo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6aceabc9-f649-4b1c-af60-dba618a387af},720,4832,3128015,SecurityEvent,
+,"10/17/2024, 4:30:31.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brogle-druck,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46de6c8a-0d50-474d-9e0e-6a821b86139d},720,4832,3128017,SecurityEvent,
+,"10/17/2024, 4:30:31.873 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvfb,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{35adf293-dca8-4790-8ae4-7b7681eefb90},720,4832,3128019,SecurityEvent,
+,"10/17/2024, 4:30:32.224 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somata,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9685ecd2-ce51-4d3f-b4d3-1c8e72b48d88},720,4832,3128021,SecurityEvent,
+,"10/17/2024, 4:30:32.360 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsisi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d11a749-9ed7-4bf9-a89c-33cf562b758b},720,4832,3128023,SecurityEvent,
+,"10/17/2024, 4:30:32.691 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geosouthern,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f89d2512-eeb1-4946-b306-08b6284091e1},720,4832,3128025,SecurityEvent,
+,"10/17/2024, 4:30:33.561 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bueter,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1a151c1f-1af3-4e48-a714-a68242b65cdd},720,4832,3128027,SecurityEvent,
+,"10/17/2024, 4:30:33.882 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinwave,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{95fa9540-67fa-4094-9449-50f513e13c0d},720,4832,3128029,SecurityEvent,
+,"10/17/2024, 4:30:34.025 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabzalimurad,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52e79494-bcde-47e4-87cf-e6978ce692ff},720,4832,3128031,SecurityEvent,
+,"10/17/2024, 4:30:34.036 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electrooptix,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1b413f7-224e-45d7-bad0-f45b0f4ae57c},720,4832,3128033,SecurityEvent,
+,"10/17/2024, 4:30:34.230 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garvish,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{055d0eb5-194a-4abd-a1af-92fc7a2840c4},720,4832,3128035,SecurityEvent,
+,"10/17/2024, 4:30:35.212 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c999db63-7549-4274-bc9d-8806eb3a121e},720,4832,3128037,SecurityEvent,
+,"10/17/2024, 4:30:35.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echodyne,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9d217e08-e7a8-4501-b7f8-228a5042160c},720,4832,3128039,SecurityEvent,
+,"10/17/2024, 4:30:35.771 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodens,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f41b38bf-8241-437e-b8b3-48c9658e95ea},720,4832,3128041,SecurityEvent,
+,"10/17/2024, 4:30:35.894 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spfsocial,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6952f824-fb72-4693-84a3-468936bb65b3},720,4832,3128043,SecurityEvent,
+,"10/17/2024, 4:30:36.489 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garym,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ec287d43-9b9e-4306-bc6c-10c0db13b39c},720,4832,3128045,SecurityEvent,
+,"10/17/2024, 4:30:37.067 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunos,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3a77e6ec-1d5a-42f4-95aa-1f5ac334e7f2},720,4832,3128047,SecurityEvent,
+,"10/17/2024, 4:30:37.478 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eckis,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f741b068-8889-4816-98f7-cddacfefb4c7},720,4832,3128049,SecurityEvent,
+,"10/17/2024, 4:30:37.507 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rustempasic,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{78dd8623-f262-497f-84fd-d7feff692039},720,4832,3128051,SecurityEvent,
+,"10/17/2024, 4:30:37.693 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonicare,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc4ed3f8-3e10-49fa-878f-346dd9113f35},720,4832,3128053,SecurityEvent,
+,"10/17/2024, 4:30:38.723 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,build1x,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d3f7d14-7a5a-46a5-9852-663dba5b5acd},720,4832,3128055,SecurityEvent,
+,"10/17/2024, 4:30:38.892 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getmailbird,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{243cf61c-3439-45cc-a533-b63341f2cbb0},720,4832,3128057,SecurityEvent,
+,"10/17/2024, 4:30:39.143 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagleyeit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{143a9683-37f5-4f5a-bba9-353672da1aa9},720,4832,3128059,SecurityEvent,
+,"10/17/2024, 4:30:39.344 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkswap,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9db89046-67f5-458d-9d25-4ef764e3f727},720,4832,3128061,SecurityEvent,
+,"10/17/2024, 4:30:39.470 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roverapps,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af98c4d4-9baf-4cbd-87d0-70de179a1dd9},720,4832,3128063,SecurityEvent,
+,"10/17/2024, 4:29:20.058 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rsac,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0e9f42d-046b-48f9-83da-9de8d39b37a4},720,8164,3127593,SecurityEvent,
+,"10/17/2024, 4:29:20.289 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b2a984dd-5f81-487e-8e0b-72cf1efce72d},720,8164,3127595,SecurityEvent,
+,"10/17/2024, 4:29:20.539 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brencam,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc1a31a3-e32d-436f-8ed6-4ed191a40043},720,8164,3127597,SecurityEvent,
+,"10/17/2024, 4:29:21.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ganyu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3191164c-2874-4d8a-ae5b-fec999362608},720,8164,3127599,SecurityEvent,
+,"10/17/2024, 4:29:21.654 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecosante,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26ef764c-f0a6-4171-84b8-f304dad770f2},720,8164,3127601,SecurityEvent,
+,"10/17/2024, 4:29:22.024 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spcmechanical,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97c66420-756b-4a0b-a890-d6d65e63c341},720,8164,3127603,SecurityEvent,
+,"10/17/2024, 4:29:22.074 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomrocket,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17f42d98-9229-4d29-a20b-4e593958252a},720,8164,3127605,SecurityEvent,
+,"10/17/2024, 4:29:22.186 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buffas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f8ee7922-e1ff-4391-8b98-289fe3e3aa76},720,8164,3127607,SecurityEvent,
+,"10/17/2024, 4:29:23.302 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eleff,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6bf5de10-9a1d-4186-ae65-d106f8dd2a07},720,8164,3127609,SecurityEvent,
+,"10/17/2024, 4:29:23.320 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geant,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49cfca62-1e26-4506-9567-38185a8b1f5b},720,8164,3127611,SecurityEvent,
+,"10/17/2024, 4:29:23.699 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spssi,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{467b1686-856c-450f-b9d5-91162b5bde8b},720,8164,3127613,SecurityEvent,
+,"10/17/2024, 4:29:23.721 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roywell,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{64f084b8-c162-4d14-98f5-c496960fbd3a},720,8164,3127615,SecurityEvent,
+,"10/17/2024, 4:29:23.842 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buchinski,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f4b2156-359a-4ae7-a56b-c3e1f243e76a},720,8164,3127617,SecurityEvent,
+,"10/17/2024, 4:29:24.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genengnews,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{533ca304-d96a-49d5-b70c-049531dde1ae},720,8164,3127619,SecurityEvent,
+,"10/17/2024, 4:29:24.984 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ejfoundation,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25181a53-a590-4012-9ce3-e38b07280fef},720,8164,3127621,SecurityEvent,
+,"10/17/2024, 4:29:25.343 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spencecare,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77e7da45-b570-427a-9bdb-50631f80824a},720,8164,3127623,SecurityEvent,
+,"10/17/2024, 4:29:25.405 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,runmyerrands,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d0c4bd76-4708-4e09-b736-3b17eb15e404},720,8164,3127625,SecurityEvent,
+,"10/17/2024, 4:29:25.520 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooks-ins,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66066a00-73f0-4a26-8760-63855ecb3608},720,8164,3127627,SecurityEvent,
+,"10/17/2024, 4:29:26.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastville,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{73c2dc96-6d13-401f-9286-1063cb300774},720,8164,3127629,SecurityEvent,
+,"10/17/2024, 4:29:27.009 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southern-it,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c89b79b3-2959-4059-aaf8-5c4ac7bcee38},720,8164,3127631,SecurityEvent,
+,"10/17/2024, 4:29:27.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rustebakke,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27c6b6f2-b1e4-480e-b5f4-37491eec0d29},720,8164,3127633,SecurityEvent,
+,"10/17/2024, 4:29:27.173 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boyles,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7718e0-9d6e-441c-92da-35ff9b3256c9},720,8164,3127635,SecurityEvent,
+,"10/17/2024, 4:29:27.221 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geough,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{28919e57-2851-4919-86c4-5c641e28cce3},720,8164,3127637,SecurityEvent,
+,"10/17/2024, 4:29:28.386 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edeveco,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19aec661-b0aa-466f-adfb-e58e6f57a7df},720,8164,3127639,SecurityEvent,
+,"10/17/2024, 4:29:28.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solidan,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa545584-72c8-4c1d-ab2c-01729efa26e1},720,8164,3127641,SecurityEvent,
+,"10/17/2024, 4:29:28.707 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouchinet,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{162b29d2-1546-4ccd-ae7f-eb6da100990a},720,8164,3127643,SecurityEvent,
+,"10/17/2024, 4:29:28.747 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcsincorp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5fbbdfc2-4069-46e7-82d0-008114b8e6bb},720,8164,3127645,SecurityEvent,
+,"10/17/2024, 4:29:28.828 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brae,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8c9e8f7-be75-4e17-b03e-c6bb6dff9809},720,8164,3127647,SecurityEvent,
+,"10/17/2024, 4:29:29.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamewise,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a5778a1-5983-4a59-b288-1852a0485fa6},720,8164,3127649,SecurityEvent,
+,"10/17/2024, 4:29:30.068 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcreate,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99198b43-4f02-4ae0-b9c8-995e69963920},720,8164,3127651,SecurityEvent,
+,"10/17/2024, 4:29:30.315 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spectracom,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{05f0129b-49c9-472d-b137-e4eab5f0480f},720,8164,3127653,SecurityEvent,
+,"10/17/2024, 4:29:30.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safalsoft,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c0a6f89f-9727-477d-a837-b84c9dc92729},720,8164,3127655,SecurityEvent,
+,"10/17/2024, 4:29:30.621 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burrusseed,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0fc53bd3-8aff-4270-a52e-56c00c412b4f},720,8164,3127657,SecurityEvent,
+,"10/17/2024, 4:29:31.323 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcds,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1fd4d0c9-5889-4d7d-b865-40f90feabc3f},720,8164,3127661,SecurityEvent,
+,"10/17/2024, 4:29:31.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecdi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6165820-521b-48c6-b0f9-adbd1097f36d},720,8164,3127663,SecurityEvent,
+,"10/17/2024, 4:29:32.124 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonograms,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a98f7305-0695-4b68-9169-2f9b934681ee},720,8164,3127665,SecurityEvent,
+,"10/17/2024, 4:29:32.263 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,broadlink,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{deeafbaa-5904-4b11-b867-b3cc81d8d715},720,8164,3127667,SecurityEvent,
+,"10/17/2024, 4:29:32.337 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samo,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8edf990-b3ac-4db4-a576-8cbe0e8c2f11},720,8164,3127669,SecurityEvent,
+,"10/17/2024, 4:29:33.378 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgerly,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{45fe64a7-3903-45a4-8ec1-f01517a7b7ee},720,8164,3127671,SecurityEvent,
+,"10/17/2024, 4:29:33.752 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garavaglia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{152087ab-7422-4aae-bd83-8569c97eb2e2},720,8164,3127673,SecurityEvent,
+,"10/17/2024, 4:29:33.851 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spothook,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49c8f826-fb83-44c3-b495-961f37c7daf2},720,8164,3127675,SecurityEvent,
+,"10/17/2024, 4:29:33.915 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandingirons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0834e2d0-bd5d-4ced-9b19-465bd11ed074},720,8164,3127677,SecurityEvent,
+,"10/17/2024, 4:29:34.055 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rushcycle,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee681b94-b6a9-46bc-a2e0-8ea3e8488cc3},720,8164,3127679,SecurityEvent,
+,"10/17/2024, 4:29:35.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ekssecurity,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{310e9151-4eb3-475c-add5-624bcc3df65a},720,8164,3127681,SecurityEvent,
+,"10/17/2024, 4:29:35.132 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,get2space,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{08f7ec5d-4fde-4900-906d-d1a5db4b1487},720,8164,3127683,SecurityEvent,
+,"10/17/2024, 4:29:35.594 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soconord,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00efa1c5-5f94-4c6e-97cc-5646cbdb0f24},720,8164,3127685,SecurityEvent,
+,"10/17/2024, 4:29:35.618 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bufftree,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7dac63-520c-4704-b093-5558fee6941b},720,8164,3127687,SecurityEvent,
+,"10/17/2024, 4:29:35.737 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvone,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbe18140-a3f0-4db9-858b-3edef3fe1f34},720,8164,3127689,SecurityEvent,
+,"10/17/2024, 4:29:36.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gapyear,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{deef03e9-c31e-4281-ab11-d14ba6579d98},720,8164,3127691,SecurityEvent,
+,"10/17/2024, 4:29:36.712 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econsolution,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ea307a0f-c2f6-4a48-8be5-76b817efb0f6},720,8164,3127693,SecurityEvent,
+,"10/17/2024, 4:29:37.324 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springmillvp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f83b7df3-afac-4e26-9d6d-806773eaf559},720,8164,3127695,SecurityEvent,
+,"10/17/2024, 4:29:37.385 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bounch,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{53fa957d-d85b-4fb0-af74-da44c666ea01},720,8164,3127697,SecurityEvent,
+,"10/17/2024, 4:29:37.388 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryannjhvac,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0917d511-688e-40ae-b140-b3f6b5689d74},720,8164,3127699,SecurityEvent,
+,"10/17/2024, 4:29:37.423 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getscopeai,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f3ab837-9c70-4392-a157-6d3ef5e54bb9},720,8164,3127701,SecurityEvent,
+,"10/17/2024, 4:29:38.367 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellinger,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11d774d0-8f6a-49ab-a5c3-cbef2496af05},720,8164,3127703,SecurityEvent,
+,"10/17/2024, 4:29:39.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgemakers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a5357fc0-d29f-4496-8f54-ef4ab392c594},720,8164,3127705,SecurityEvent,
+,"10/17/2024, 4:29:39.159 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rschooltoday,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0fecfb76-d05e-4ffc-a24a-29d69f365862},720,8164,3127707,SecurityEvent,
+,"10/17/2024, 4:29:39.188 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spreadex,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{945ec1bf-79dc-45d2-9693-98e1045573ed},720,8164,3127709,SecurityEvent,
+,"10/17/2024, 4:29:39.643 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gassmanfg,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee87e1c0-3c05-49d0-9ca3-bf1c681f24a8},720,8164,3127711,SecurityEvent,
+,"10/17/2024, 4:30:40.098 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garakami,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{380e2e2d-48cc-44a1-92f0-7ec15e8e2c54},720,4832,3128065,SecurityEvent,
+,"10/17/2024, 4:30:40.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brodowski,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cfbda35b-f75a-4401-92f1-72c4994d1a23},720,4832,3128067,SecurityEvent,
+,"10/17/2024, 4:30:40.804 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elationsys,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ae9572eb-2735-4bbe-a30c-a1d42fe3ebc3},720,4832,3128069,SecurityEvent,
+,"10/17/2024, 4:30:41.057 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarcomm,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e596e41-0d74-48a8-a502-c6caf9fa7c48},720,4832,3128071,SecurityEvent,
+,"10/17/2024, 4:30:41.389 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodanmedia,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b0fa0b02-aad8-4fa3-9584-4fd50b663f3e},720,4832,3128073,SecurityEvent,
+,"10/17/2024, 4:30:42.029 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,btbautoparts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3765b58-3582-4b76-bbec-b3ccdd8c6c66},720,4832,3128075,SecurityEvent,
+,"10/17/2024, 4:30:42.508 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edisonohio,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43c4ef51-9f52-4524-8b7a-3e95339a339a},720,4832,3128077,SecurityEvent,
+,"10/17/2024, 4:30:42.880 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarline,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{94604428-720d-4d49-8be2-deb7dd45508b},720,4832,3128079,SecurityEvent,
+,"10/17/2024, 4:30:42.968 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geosafe,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{83952baf-5ff2-4de2-8a22-e80b941671e2},720,4832,3128081,SecurityEvent,
+,"10/17/2024, 4:30:43.051 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ropaar,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9deb4ca-5057-4e12-975b-e5feef2b675f},720,4832,3128083,SecurityEvent,
+,"10/17/2024, 4:30:43.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandsus,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{55adfd25-5b7c-413b-98f1-ea4f2daccce0},720,4832,3128085,SecurityEvent,
+,"10/17/2024, 4:30:44.156 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2843b6e4-e27c-405e-a89a-a44c0f9ca68e},720,4832,3128087,SecurityEvent,
+,"10/17/2024, 4:30:44.653 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solutions4,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff384cf5-16d4-4a3e-93f9-c062ca352ef5},720,4832,3128089,SecurityEvent,
+,"10/17/2024, 4:30:44.746 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rygaard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f762004-6fc7-480a-b585-faac613f88df},720,4832,3128091,SecurityEvent,
+,"10/17/2024, 4:30:44.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gigya,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{71e5b956-c636-4789-894e-616b4dbaaaf1},720,4832,3128093,SecurityEvent,
+,"10/17/2024, 4:30:45.514 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brohan,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df33267c-1c9b-4de6-81d6-cdbe026222ae},720,4832,3128095,SecurityEvent,
+,"10/17/2024, 4:30:45.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecostaff,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24d41c94-5a0a-4b51-be51-0def50f1972b},720,4832,3128097,SecurityEvent,
+,"10/17/2024, 4:30:46.224 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getinkspired,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6a9cb0d-17c0-45cc-8a99-8e28ecca08a7},720,4832,3128099,SecurityEvent,
+,"10/17/2024, 4:30:46.312 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springsealinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4209ff91-78eb-497b-8146-71c0da3bde83},720,4832,3128101,SecurityEvent,
+,"10/17/2024, 4:30:46.565 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodneys,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0145daeb-99de-48c1-bf79-943d97d7e4f3},720,4832,3128103,SecurityEvent,
+,"10/17/2024, 4:30:47.191 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bullard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9646f2e3-fe4b-4c0a-840d-e152bbefcf16},720,4832,3128105,SecurityEvent,
+,"10/17/2024, 4:30:47.585 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastpac,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40b05f2a-9510-4a16-9512-603a5ca39e20},720,4832,3128107,SecurityEvent,
+,"10/17/2024, 4:30:47.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solinfo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2c0aca9f-90eb-480d-b34a-b50008cab4c4},720,4832,3128109,SecurityEvent,
+,"10/17/2024, 4:30:48.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gendlin,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22887002-3581-4079-bff9-b7c328a20a88},720,4832,3128111,SecurityEvent,
+,"10/17/2024, 4:30:48.538 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sageitinc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed5414fe-140f-436c-b9d1-10604575666c},720,4832,3128113,SecurityEvent,
+,"10/17/2024, 4:30:49.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brustolon,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{84de2240-418a-435e-a65e-03a18a719d40},720,4832,3128115,SecurityEvent,
+,"10/17/2024, 4:30:49.318 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebizzers,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8aa4ef82-1879-4f05-b0be-44b45db17d69},720,4832,3128117,SecurityEvent,
+,"10/17/2024, 4:30:49.526 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gessin,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc73bbef-fb96-4de9-ac00-474083614fe8},720,4832,3128119,SecurityEvent,
+,"10/17/2024, 4:30:49.636 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonnisroy,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3aabe7fc-3ab5-4ebc-b6dd-00424ebbecac},720,4832,3128121,SecurityEvent,
+,"10/17/2024, 4:30:50.222 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rymark,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{343c3edd-58dc-4fab-9f4b-f39183dd73b9},720,4832,3128123,SecurityEvent,
+,"10/17/2024, 4:30:50.599 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getairsports,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a21066d9-0057-4635-94a4-f186315f367f},720,4832,3128125,SecurityEvent,
+,"10/17/2024, 4:30:50.769 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgford,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3da3270e-3175-4ac6-91a0-7903170d687c},720,4832,3128127,SecurityEvent,
+,"10/17/2024, 4:30:50.983 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellasmonitor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{39be8dcf-8f0b-42b3-be40-262f5d8c49a7},720,4832,3128129,SecurityEvent,
+,"10/17/2024, 4:30:51.317 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socialstudio,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1e912da2-64f3-498a-8fe6-6794bd059956},720,4832,3128131,SecurityEvent,
+,"10/17/2024, 4:30:52.154 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubright,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23152c2d-9687-455e-a65d-ac06872c1e58},720,4832,3128133,SecurityEvent,
+,"10/17/2024, 4:30:52.420 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandflight,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7c326f0d-0735-497d-b663-b9a78c308b94},720,4832,3128135,SecurityEvent,
+,"10/17/2024, 4:30:52.645 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecorps,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9465325e-f0cb-4489-9202-efd78bfb77b6},720,4832,3128137,SecurityEvent,
+,"10/17/2024, 4:30:52.814 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfave,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3f2e791-cdc6-4bca-adda-676d7a656457},720,4832,3128139,SecurityEvent,
+,"10/17/2024, 4:30:53.014 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solar-wind,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{84bec143-072b-4254-99dd-5738847a199a},720,4832,3128141,SecurityEvent,
+,"10/17/2024, 4:30:53.927 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getunwired,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7434fa72-d024-4b96-ba1f-5e8a280313aa},720,4832,3128143,SecurityEvent,
+,"10/17/2024, 4:30:54.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouns,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d431759-5eaa-4419-a38a-2f83a48b8066},720,2980,3128145,SecurityEvent,
+,"10/17/2024, 4:30:54.184 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,builduped1d,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{72c78942-799c-4bdc-8e10-5cbc1d818d7a},720,2980,3128147,SecurityEvent,
+,"10/17/2024, 4:30:54.301 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earnreit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e1ef716-97b8-4301-8c23-77750e47fe55},720,2980,3128149,SecurityEvent,
+,"10/17/2024, 4:30:54.973 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparketh,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{98701253-9cf9-40cb-bcd3-aa569c83aa6d},720,2980,3128151,SecurityEvent,
+,"10/17/2024, 4:30:55.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammet,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a6aec33-6fe3-4acd-90dc-b6cbc93ce675},720,2980,3128153,SecurityEvent,
+,"10/17/2024, 4:30:55.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesgym,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{245f91d9-5f3e-4937-91b3-1251b7de5fc0},720,2980,3128155,SecurityEvent,
+,"10/17/2024, 4:30:55.846 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsh-group,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ab7c1d6-bee1-44e7-933e-2e239c84d1ad},720,2980,3128157,SecurityEvent,
+,"10/17/2024, 4:30:55.950 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elegant,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d69013d5-5338-476d-9893-b16db5cd294c},720,2980,3128159,SecurityEvent,
+,"10/17/2024, 4:30:56.623 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sontech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{644fdec2-93e4-4bc7-aa52-88132342e716},720,2980,3128161,SecurityEvent,
+,"10/17/2024, 4:30:57.077 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gce,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{18bee206-0ea0-43f4-a9f8-43e6a95972ee},720,2980,3128163,SecurityEvent,
+,"10/17/2024, 4:30:57.500 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,braescapital,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ec28b609-8fbe-4cc8-b491-0649ddb64a39},720,2980,3128165,SecurityEvent,
+,"10/17/2024, 4:30:57.522 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sailfan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{550ad90d-f672-4865-b953-42e7199e3653},720,2980,3128167,SecurityEvent,
+,"10/17/2024, 4:30:57.610 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellmaker,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d601bd46-2158-4f8e-924e-ff6685e03835},720,2980,3128169,SecurityEvent,
+,"10/17/2024, 4:30:58.278 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sponsels,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b0b0995f-1c90-4efa-b7bf-b7d4d8e502ee},720,2980,3128171,SecurityEvent,
+,"10/17/2024, 4:30:58.634 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getuprise,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{500f9d5f-0c8a-467e-bac5-f7bb0bca4ed2},720,2980,3128173,SecurityEvent,
+,"10/17/2024, 4:30:59.155 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsterling,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{134d6a0d-7b8c-4ef2-a73b-2969116b5866},720,2980,3128175,SecurityEvent,
+,"10/17/2024, 4:30:59.222 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saabe,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{296ca78e-c683-4194-bc7f-0a99658bc5db},720,2980,3128177,SecurityEvent,
+,"10/17/2024, 4:30:59.317 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eatexplore,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8dc10a6-3f21-461f-926a-671f49fd4c73},720,2980,3128179,SecurityEvent,
+,"10/17/2024, 4:30:59.940 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spagnoli,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9df23aa6-74e1-46cf-b6cc-2d801f109ab1},720,2980,3128182,SecurityEvent,
+,"10/17/2024, 4:31:40.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saisi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca701d77-fb37-4d2a-9a4d-5353ad4d168c},720,2980,3128435,SecurityEvent,
+,"10/17/2024, 4:31:40.688 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soletrakr,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{33a9c485-186e-44f5-8fff-d0efb7753e82},720,2980,3128437,SecurityEvent,
+,"10/17/2024, 4:31:41.261 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getgigz,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b03d6589-1bbc-4ab4-848d-0efa3b9274da},720,2980,3128439,SecurityEvent,
+,"10/17/2024, 4:31:41.376 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,businesscycle,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{360aeac4-d747-49c5-9fc5-23324e716b51},720,2980,3128441,SecurityEvent,
+,"10/17/2024, 4:31:41.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eeyorecd,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9b0796c-3e89-43f9-b7cc-c408ac2eb83f},720,2980,3128443,SecurityEvent,
+,"10/17/2024, 4:31:42.086 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubix-group,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{545af58f-17ff-47d0-bce7-0fbed031e569},720,2980,3128445,SecurityEvent,
+,"10/17/2024, 4:31:42.346 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somerfields,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0d0d339c-51bf-48cd-8da7-93b5cfc9d672},720,2980,3128447,SecurityEvent,
+,"10/17/2024, 4:31:42.350 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giraulo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17437c8a-11dc-474b-97eb-9e015d9c9a61},720,2980,3128449,SecurityEvent,
+,"10/17/2024, 4:31:43.271 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brondell,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49211117-3e40-4471-81b4-b79c30b710c4},720,2980,3128451,SecurityEvent,
+,"10/17/2024, 4:31:43.305 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edwarddean,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5306b1b-5636-44be-8349-d7ebd737a860},720,2980,3128453,SecurityEvent,
+,"10/17/2024, 4:31:43.735 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gecd307,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{583d5ba9-ab1c-4ced-891f-d8d881dceb69},720,2980,3128455,SecurityEvent,
+,"10/17/2024, 4:31:43.744 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouler,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b8b7f24-6bc3-4ba9-9d58-22d72ed120b5},720,2980,3128457,SecurityEvent,
+,"10/17/2024, 4:31:44.011 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soho,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cb2c211e-902b-44a5-b094-d27c8cc906b2},720,2980,3128459,SecurityEvent,
+,"10/17/2024, 4:31:44.843 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbw,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9128ee4c-e8c3-41a1-b584-4b567a398252},720,2980,3128461,SecurityEvent,
+,"10/17/2024, 4:31:44.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bryantideas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4d7bbbde-f5cc-4ef8-88af-37fd7ebec565},720,2980,3128463,SecurityEvent,
+,"10/17/2024, 4:31:45.182 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecolonial,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0560bfce-f086-4d08-884f-4ffa8e53d848},720,2980,3128465,SecurityEvent,
+,"10/17/2024, 4:31:45.404 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ropeadope,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{070a2e87-6bf2-4131-ba2e-c9bd9476351e},720,2980,3128467,SecurityEvent,
+,"10/17/2024, 4:31:45.748 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedcard,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8397a6ed-f15b-4fdd-aac9-3a2a4bd237b1},720,2980,3128469,SecurityEvent,
+,"10/17/2024, 4:31:46.029 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getimaging,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{858b1779-914f-405d-9100-e384cf39ac1b},720,2980,3128471,SecurityEvent,
+,"10/17/2024, 4:31:46.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breadsmith,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61297f24-503e-4262-b18a-f95daa7b034a},720,2980,3128473,SecurityEvent,
+,"10/17/2024, 4:31:46.846 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efficency,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0d566bb-14f1-4adf-a647-6597997bb9f7},720,2980,3128475,SecurityEvent,
+,"10/17/2024, 4:31:47.129 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sampoll,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2cf486e-35b5-453f-acf7-b9889aa75b20},720,2980,3128477,SecurityEvent,
+,"10/17/2024, 4:31:47.410 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genomedesigns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02339465-63ed-411a-912e-46e88ebc698f},720,2980,3128479,SecurityEvent,
+,"10/17/2024, 4:31:47.411 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splunk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e328c484-ac22-49be-817a-cce433018f3b},720,2980,3128481,SecurityEvent,
+,"10/17/2024, 4:31:48.474 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breaks,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{88ae1d54-5df7-4c41-a94c-75edb486c0cb},720,2980,3128483,SecurityEvent,
+,"10/17/2024, 4:31:48.587 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaya,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9294ec29-a170-4873-8e1b-c64528ace714},720,2980,3128485,SecurityEvent,
+,"10/17/2024, 4:31:48.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royallepagegp,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6b01c4be-ea6e-4d07-a4d0-cb7e65c61e53},720,2980,3128487,SecurityEvent,
+,"10/17/2024, 4:31:48.991 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,effektiv,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c3d4836-2c90-41d0-b3ef-10a6d7ecfab6},720,2980,3128489,SecurityEvent,
+,"10/17/2024, 4:31:49.060 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{faaddc78-b7e8-4dd7-9d1c-485afe72bccb},720,2980,3128491,SecurityEvent,
+,"10/17/2024, 4:31:50.073 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilltrading,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e9cab0bd-5222-4454-bcc9-243075912cfe},720,2980,3128493,SecurityEvent,
+,"10/17/2024, 4:31:50.226 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breedmatcher,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{492c81b8-0b18-4019-994f-76ac26259957},720,2980,3128495,SecurityEvent,
+,"10/17/2024, 4:31:50.420 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rskbsl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c40a3ade-e3a8-42db-b91b-c125d468c528},720,2980,3128497,SecurityEvent,
+,"10/17/2024, 4:31:50.660 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,einbliq-io,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d67171f-d373-4373-845e-a20bf1668453},720,2980,3128499,SecurityEvent,
+,"10/17/2024, 4:31:50.718 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkboulder,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6671159-07a9-49fc-acf7-91ce1d318918},720,2980,3128501,SecurityEvent,
+,"10/17/2024, 4:31:51.320 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getproperly,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c7d74daf-1e8c-4c47-8147-622dca3d6f17},720,2980,3128503,SecurityEvent,
+,"10/17/2024, 4:31:51.932 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bravocg,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aabe8cd8-d5c4-471c-b5de-f19ebacf1675},720,2980,3128505,SecurityEvent,
+,"10/17/2024, 4:31:52.175 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safely,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{db5b0948-9a39-44d2-845b-2f1f2149435a},720,2980,3128507,SecurityEvent,
+,"10/17/2024, 4:31:52.350 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagleridgegm,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa316db8-c4ec-49fa-b0d1-712e2482870c},720,2980,3128509,SecurityEvent,
+,"10/17/2024, 4:31:52.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speaktoiot,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f7199a-d85c-48b5-a72a-bdfa7b04b292},720,2980,3128511,SecurityEvent,
+,"10/17/2024, 4:31:52.639 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gibbins,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c823a46e-09b6-46c7-8065-e126a1617d09},720,2980,3128513,SecurityEvent,
+,"10/17/2024, 4:31:53.583 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brrrings,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aed8b9d6-5970-45ab-9764-19e25c82a7d6},720,2980,3128515,SecurityEvent,
+,"10/17/2024, 4:31:53.829 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfuturebank,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a64457b8-df97-41ca-a151-fd7dea8ebf2f},720,2980,3128517,SecurityEvent,
+,"10/17/2024, 4:31:53.830 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalcare,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e64df74d-3e13-446f-a704-a7f50bebaca6},720,2980,3128519,SecurityEvent,
+,"10/17/2024, 4:31:54.022 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sohls,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e9982e7-cdf0-480d-8881-b3b4bc3e3e13},720,2980,3128521,SecurityEvent,
+,"10/17/2024, 4:31:54.289 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edmonds,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91bed4d3-892d-4e4d-9500-66294f69264d},720,2980,3128523,SecurityEvent,
+,"10/17/2024, 4:31:54.983 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gianna,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e87e6eba-f4a2-415a-8c9c-7b7dc0b1c28b},720,2980,3128525,SecurityEvent,
+,"10/17/2024, 4:31:55.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boulay,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b38b89b7-dc9d-41d3-87a5-e0002b264f38},720,2980,3128527,SecurityEvent,
+,"10/17/2024, 4:31:55.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rsegroup,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{764793e7-6ee3-4311-a5fb-6b0f85609f54},720,2980,3128529,SecurityEvent,
+,"10/17/2024, 4:31:55.686 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprigati,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{47ce24aa-a64e-48a5-94fa-653a6f1db234},720,2980,3128531,SecurityEvent,
+,"10/17/2024, 4:31:56.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getjerry,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59f1a17c-d759-44e8-a07c-6b78ca207c29},720,2980,3128533,SecurityEvent,
+,"10/17/2024, 4:31:56.118 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastpro,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06131d52-cfec-489b-84a1-03087299e0d1},720,2980,3128535,SecurityEvent,
+,"10/17/2024, 4:31:56.947 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brochu,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61a933e5-4b99-4811-89b1-4b46ad2652fe},720,2980,3128537,SecurityEvent,
+,"10/17/2024, 4:31:57.229 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcfga,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3bdaa88a-6ceb-467c-b2d2-bbe86bf77b60},720,2980,3128539,SecurityEvent,
+,"10/17/2024, 4:31:57.272 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rowlett,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91f4eb2b-40ee-4f4a-aebf-7e0266a74601},720,2980,3128541,SecurityEvent,
+,"10/17/2024, 4:31:57.424 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soystudio,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5fcd72e4-7d06-4c06-b2ca-c87b089d1c49},720,2980,3128543,SecurityEvent,
+,"10/17/2024, 4:31:57.900 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecycles,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5849267a-a77c-4b43-a2a6-76f2b4403a3c},720,2980,3128545,SecurityEvent,
+,"10/17/2024, 4:31:58.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gavtilo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cda19309-51cf-43f1-8c73-e69e90625bb0},720,2980,3128547,SecurityEvent,
+,"10/17/2024, 4:31:58.727 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brennenkelly,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e32e985c-e383-4c68-85ad-7eba481eac53},720,2980,3128549,SecurityEvent,
+,"10/17/2024, 4:31:58.934 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruptured,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e65d64b-9f5d-421c-aea1-89c1b06768dc},720,2980,3128551,SecurityEvent,
+,"10/17/2024, 4:31:59.134 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spragley,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d4fed7e-dd5a-45c9-91ee-a85f2005bae3},720,2980,3128553,SecurityEvent,
+,"10/17/2024, 4:31:59.557 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earn4u,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ee3f48f-9f4d-4ae0-b33b-e931d599add6},720,2980,3128555,SecurityEvent,
+,"10/17/2024, 4:31:59.658 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garrettson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9bc06d9d-cbc2-4f46-b05a-0ddb85400aed},720,2980,3128557,SecurityEvent,
+,"10/17/2024, 4:20:40.037 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spgb,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2af74c4d-0d8d-41bb-90a6-6f9a05094870},720,5448,3124428,SecurityEvent,
+,"10/17/2024, 4:20:40.145 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gen5,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02f20668-f20e-4df8-987c-2890abe6ab5c},720,5448,3124430,SecurityEvent,
+,"10/17/2024, 4:20:40.274 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elearningline,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8151fb97-0723-465d-86ec-95e5742f0964},720,5448,3124432,SecurityEvent,
+,"10/17/2024, 4:20:41.147 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saloonmedia,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50eee1f6-9b45-4413-9f6a-4b2f85e8075d},720,8592,3124434,SecurityEvent,
+,"10/17/2024, 4:20:41.348 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildproto,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{485bb8b9-93c9-42b9-8ab2-dcd17a935f4c},720,8592,3124436,SecurityEvent,
+,"10/17/2024, 4:20:41.379 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gengirlmedia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b4b041ac-a6e1-4da2-9b8f-1d900411ff6d},720,8592,3124438,SecurityEvent,
+,"10/17/2024, 4:20:41.928 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgix,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ac7777e-62b0-44aa-a681-f50d792d4a30},720,8592,3124440,SecurityEvent,
+,"10/17/2024, 4:20:41.943 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solereve,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{914ba202-9a5b-4673-adf5-fdd2bfa860ef},720,8592,3124442,SecurityEvent,
+,"10/17/2024, 4:20:42.615 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getitfree,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b1ec940-2b5f-4619-b09e-1db8225f7915},720,8592,3124444,SecurityEvent,
+,"10/17/2024, 4:20:42.806 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rscva,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{64a015eb-be7b-42f0-ae04-fefb548b151a},720,8592,3124446,SecurityEvent,
+,"10/17/2024, 4:20:43.043 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridi,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a850b8e9-b7b5-42d3-843f-4ddc8ca9c96f},720,8592,3124448,SecurityEvent,
+,"10/17/2024, 4:20:43.604 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundfest,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6636b101-ee83-4cab-8937-576575bbe695},720,8592,3124450,SecurityEvent,
+,"10/17/2024, 4:20:43.697 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gjsigns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bfea26e0-e1b6-4eb0-88e4-5317d94211de},720,8592,3124452,SecurityEvent,
+,"10/17/2024, 4:20:43.739 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eclub,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{664423f6-3d3f-40b0-b888-91424fec430e},720,8592,3124454,SecurityEvent,
+,"10/17/2024, 4:20:44.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gesoft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00415ae7-7ab6-4d77-b396-34d2317fc295},720,8592,3124456,SecurityEvent,
+,"10/17/2024, 4:20:44.771 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boutayeb,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a2b79fb-f84d-4630-b7de-344cfc849d73},720,8592,3124458,SecurityEvent,
+,"10/17/2024, 4:20:44.824 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rxt,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d774e9d8-a880-428f-88e8-1cac7bfa3d08},720,8592,3124460,SecurityEvent,
+,"10/17/2024, 4:20:45.249 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soloworker,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97761597-ca48-44a3-bd6d-01d21bc01c13},720,8592,3124462,SecurityEvent,
+,"10/17/2024, 4:20:45.916 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efnc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36b732e9-8289-46b9-ad5c-f06707593329},720,8592,3124464,SecurityEvent,
+,"10/17/2024, 4:20:46.314 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemalto,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1370b234-8c23-4aa7-8c63-dcec36bb99e2},720,8592,3124466,SecurityEvent,
+,"10/17/2024, 4:20:46.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{54a974e4-2461-4f69-8ca9-9af8a567d723},720,8592,3124468,SecurityEvent,
+,"10/17/2024, 4:20:46.527 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalcrawl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa1e637f-73df-48f7-ae78-6f591c460b15},720,8592,3124470,SecurityEvent,
+,"10/17/2024, 4:20:46.969 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spillman,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6eebc103-2641-40c5-93fb-35dc0dc6f152},720,8592,3124472,SecurityEvent,
+,"10/17/2024, 4:20:47.400 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gesundimnorden,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b5f51e0-c5c1-4621-9eee-7728cb4215a2},720,8592,3124474,SecurityEvent,
+,"10/17/2024, 4:20:47.562 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecnp,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{33cbe8fa-c777-4412-9f52-8c6fef3e39d3},720,8592,3124476,SecurityEvent,
+,"10/17/2024, 4:20:48.120 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightcom,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6a9d4e6-eeb7-4dee-9c1c-3f74d5a3ae9a},720,8592,3124478,SecurityEvent,
+,"10/17/2024, 4:20:48.200 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roiltd,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{65b57059-1376-45f4-90b7-73889022bd78},720,8592,3124480,SecurityEvent,
+,"10/17/2024, 4:20:48.556 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemologue,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd8f3151-057f-43c4-acbe-566f2730f265},720,8592,3124482,SecurityEvent,
+,"10/17/2024, 4:20:48.624 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springuel,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ab04950e-51f0-4d55-b7a3-6ed30fe256de},720,8592,3124484,SecurityEvent,
+,"10/17/2024, 4:20:49.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecree,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3e27b5e-98ba-4e07-ad9d-f6bed1c8a9f5},720,8592,3124486,SecurityEvent,
+,"10/17/2024, 4:20:49.629 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghpartnersllc,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59915cf9-f706-450a-ae24-b03f130952b5},720,8592,3124488,SecurityEvent,
+,"10/17/2024, 4:20:49.765 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brafman,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3b3c1d81-9b1c-4572-89c4-df36f131b067},720,8592,3124490,SecurityEvent,
+,"10/17/2024, 4:20:50.161 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06995dde-59c0-4675-a87c-4d684b90b8a7},720,8592,3124492,SecurityEvent,
+,"10/17/2024, 4:20:50.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sorgenfri,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5bc150d-6af6-4df1-9ef0-c3703655312b},720,8592,3124494,SecurityEvent,
+,"10/17/2024, 4:20:50.784 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genine,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5979808e-6a6d-4b01-a572-e3c824d2156a},720,8592,3124496,SecurityEvent,
+,"10/17/2024, 4:20:50.963 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earin,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbfbd596-2099-4726-849e-5c0025b95ab7},720,8592,3124498,SecurityEvent,
+,"10/17/2024, 4:20:51.421 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burotechnik,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e1de518c-d4c4-4746-92d4-54d5be668d93},720,8592,3124500,SecurityEvent,
+,"10/17/2024, 4:20:51.895 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruffroofers,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6bdb8db5-642c-41a1-8c6f-626c55dba840},720,8592,3124502,SecurityEvent,
+,"10/17/2024, 4:20:52.013 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spork,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23472f86-1151-4468-80dc-e223b66c7f75},720,8592,3124504,SecurityEvent,
+,"10/17/2024, 4:20:52.610 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglesblood,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06e65478-8246-429c-a145-f0ee0fa6839d},720,8592,3124506,SecurityEvent,
+,"10/17/2024, 4:20:52.949 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geyrhalter,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f1bfe1-483a-418b-b562-e3a358917319},720,8592,3124508,SecurityEvent,
+,"10/17/2024, 4:20:53.125 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buchs-sachsse,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{316a390c-977f-4c8e-92b6-9e12a36edc9b},720,8592,3124510,SecurityEvent,
+,"10/17/2024, 4:20:53.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubberline,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2ff1ea0-cdf6-4706-a8f4-404c277bc17a},720,8592,3124512,SecurityEvent,
+,"10/17/2024, 4:20:53.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkdog,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5dd85497-0e66-4bd9-b759-70485fd76548},720,8592,3124514,SecurityEvent,
+,"10/17/2024, 4:20:54.054 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gethotspotapp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3527552b-8bf0-4d2a-98a2-a012be06d92f},720,8592,3124516,SecurityEvent,
+,"10/17/2024, 4:20:54.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecsc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e6216f2c-aff9-4a7c-ac33-95e50c6c955c},720,8592,3124518,SecurityEvent,
+,"10/17/2024, 4:20:54.904 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bureao,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b071cd0d-cfef-4b99-9b0a-5f29842879f2},720,8592,3124520,SecurityEvent,
+,"10/17/2024, 4:20:55.306 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.85.229.43,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a90f0c1-f5b2-464a-be0e-f7ef1a43d0cd},720,8592,3124522,SecurityEvent,
+,"10/17/2024, 4:20:55.434 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gdsb239,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f236b3ee-36d0-44a4-991d-c446e595b3cf},720,8592,3124524,SecurityEvent,
+,"10/17/2024, 4:20:55.520 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvupgrades,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8565343b-8edf-480a-8662-3baef369a766},720,8592,3124526,SecurityEvent,
+,"10/17/2024, 4:20:55.586 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkinterfax,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a2ee1524-2a75-4c42-aad6-935becc564b7},720,8592,3124528,SecurityEvent,
+,"10/17/2024, 4:20:55.922 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebaaf,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8ac94cd7-378f-4311-91b3-4da21f2e4fb2},720,8592,3124530,SecurityEvent,
+,"10/17/2024, 4:20:56.579 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsa-regal,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{89b88cee-2f78-431c-be08-849322641a71},720,8592,3124532,SecurityEvent,
+,"10/17/2024, 4:20:56.889 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gete,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0a27c153-6c28-440a-9961-e89869121225},720,8592,3124534,SecurityEvent,
+,"10/17/2024, 4:20:57.185 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rp2global,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fc37dc1a-7a35-49c3-bdfd-c6a30d83dc01},720,8592,3124536,SecurityEvent,
+,"10/17/2024, 4:20:57.238 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonawane,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f240f3d-84ed-486b-a6ef-e1b827a0afff},720,8592,3124538,SecurityEvent,
+,"10/17/2024, 4:20:57.967 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemmus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7189464f-9822-4c57-935f-39bc3bfdac9c},720,8592,3124540,SecurityEvent,
+,"10/17/2024, 4:20:58.047 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elegantchild,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f92c08c-3145-4490-9a62-1d911863a3a3},720,8592,3124542,SecurityEvent,
+,"10/17/2024, 4:20:58.283 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucklers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6656096a-61d7-4213-8ce3-ff960e78b2cd},720,8592,3124544,SecurityEvent,
+,"10/17/2024, 4:20:58.845 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roofhawk,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1ad90450-0463-49f0-a057-cb52f7573bb9},720,8592,3124546,SecurityEvent,
+,"10/17/2024, 4:20:58.981 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sponsiv,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5f9f4919-dfc1-4e83-98fa-d06394fd64e6},720,8592,3124548,SecurityEvent,
+,"10/17/2024, 4:20:59.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gibsonia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26dbc674-9f26-4a4d-99dc-5c31d279d3be},720,8592,3124550,SecurityEvent,
+,"10/17/2024, 4:20:59.706 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecogoodz,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6e07eb3a-dca9-4817-bfe6-32fc08ee1da1},720,8592,3124552,SecurityEvent,
+,"10/17/2024, 4:21:01.890 PM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11T.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi  ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11T$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11T$,S-1-5-18,0xc000006a,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,c9171ffe-8c3d-49d2-8c8b-fc5af77d39d0,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:35.255 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{3414e15e-03dc-4cdc-989e-b28967e2e4f7},716,5980,10739457,SecurityEvent,
+,"10/17/2024, 4:21:00.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,btw-binder,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99ed130a-19c2-4030-8ae6-bf37f9b9646b},720,8592,3124554,SecurityEvent,
+,"10/17/2024, 4:21:00.575 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbprotect,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8aad4d9e-2ad1-4d00-b078-f932748e52e6},720,8592,3124556,SecurityEvent,
+,"10/17/2024, 4:21:00.621 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spindesk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8718edf2-ca6c-4413-b20a-995f68e3b572},720,8592,3124558,SecurityEvent,
+,"10/17/2024, 4:21:00.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safefirst,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{edb19d9e-a049-4245-afd6-937096434846},720,8592,3124560,SecurityEvent,
+,"10/17/2024, 4:21:01.404 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earlsorganic,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d23a416-9b69-4095-9020-a90329da3c35},720,8592,3124562,SecurityEvent,
+,"10/17/2024, 4:21:01.699 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bozkurt,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{102b0dbd-fc2d-41c0-a773-5f7db8a2001c},720,8592,3124564,SecurityEvent,
+,"10/17/2024, 4:21:02.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sokolow,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44d8aab2-ea90-4189-b663-04d18468af2c},720,8592,3124566,SecurityEvent,
+,"10/17/2024, 4:21:02.336 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garfieldpark,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4db774b5-c9b4-4953-9f60-fd2ba01498df},720,8592,3124568,SecurityEvent,
+,"10/17/2024, 4:21:02.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03f6ece4-84f0-4173-bbe4-6bfe4fe83909},720,8592,3124570,SecurityEvent,
+,"10/17/2024, 4:21:03.223 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ehsolution,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5dc7084c-9fe2-4410-9456-6ab93b0e3152},720,8592,3124572,SecurityEvent,
+,"10/17/2024, 4:21:03.381 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brilin,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1702b838-f14f-446c-8c52-f0b0538e10cd},720,8592,3124574,SecurityEvent,
+,"10/17/2024, 4:21:03.417 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gardine,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3dd8c4b9-76a1-4802-a1e1-85e5ab651ce5},720,8592,3124576,SecurityEvent,
+,"10/17/2024, 4:21:04.033 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinner-group,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{09104f4d-7c4e-46db-bf54-5fd58d751fc7},720,8592,3124578,SecurityEvent,
+,"10/17/2024, 4:21:04.376 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rogerspc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7794786c-8c14-490c-ac12-79f1a138c3f4},720,8592,3124580,SecurityEvent,
+,"10/17/2024, 4:21:04.486 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genformation,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63dca506-96b0-48f5-aefb-33fd678b5c3d},720,8592,3124582,SecurityEvent,
+,"10/17/2024, 4:21:05.032 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,broadfording,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{38e81cf2-ea7d-4465-a65e-ad5fe5c2de89},720,8592,3124584,SecurityEvent,
+,"10/17/2024, 4:21:05.582 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getdot,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ee8b10d-900a-48b8-b621-effe51dbdfea},720,8592,3124586,SecurityEvent,
+,"10/17/2024, 4:21:05.738 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easymonitoring,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6cfa6fa0-b2bd-4ca5-8718-d25155ecc007},720,8592,3124588,SecurityEvent,
+,"10/17/2024, 4:21:05.780 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solitical,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a7c855d-bd30-485b-bc10-3e42a35b741a},720,8592,3124590,SecurityEvent,
+,"10/17/2024, 4:21:06.035 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesnexus,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a8257f6-60db-494c-80e4-0c1313c5d2d0},720,8592,3124592,SecurityEvent,
+,"10/17/2024, 4:21:06.686 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightflag,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5370adb-58a0-4305-bf23-6a3958800cc9},720,8592,3124594,SecurityEvent,
+,"10/17/2024, 4:21:07.273 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geminipei,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b472e1c9-0a81-4193-b797-be0275016b71},720,8592,3124596,SecurityEvent,
+,"10/17/2024, 4:21:07.434 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sourlis,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a03573b-77eb-43a0-bcd9-ae9422bedbda},720,8592,3124598,SecurityEvent,
+,"10/17/2024, 4:21:07.591 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elbkapitaene,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{979a8eb6-4c85-4b66-9aca-cb9426bf7fe1},720,8592,3124600,SecurityEvent,
+,"10/17/2024, 4:21:07.805 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safemeds,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5beabad-bd32-4f7f-87dc-5cc0a56b5a66},720,8592,3124602,SecurityEvent,
+,"10/17/2024, 4:21:08.347 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bulkfoods,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b16edc7d-86e2-45d9-b9e6-305daedfd081},720,8592,3124604,SecurityEvent,
+,"10/17/2024, 4:21:08.364 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getheirloom,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a710197-796f-45ea-9850-2ef56ce8ce30},720,8592,3124606,SecurityEvent,
+,"10/17/2024, 4:21:09.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southleft,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e737beb-1d19-4391-8b21-47a9805d4d75},720,8592,3124608,SecurityEvent,
+,"10/17/2024, 4:21:09.352 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efreightship,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63f41552-baf5-4a20-89d2-cf8efd8999ab},720,8592,3124610,SecurityEvent,
+,"10/17/2024, 4:21:09.442 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghealth,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4116054d-f994-4b94-a0c3-72d22fa4be79},720,8592,3124612,SecurityEvent,
+,"10/17/2024, 4:21:09.488 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomandboard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c857079d-9116-4929-bd1a-4cc055f21639},720,8592,3124614,SecurityEvent,
+,"10/17/2024, 4:21:10.133 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightideas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{83419a38-31cb-425b-836c-f28d889f472d},720,8592,3124616,SecurityEvent,
+,"10/17/2024, 4:21:10.641 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammacatering,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff044a85-b51b-40b8-93ff-59bf6d8c7538},720,8592,3124618,SecurityEvent,
+,"10/17/2024, 4:21:10.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundlaw,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4430eda5-ceb8-48d0-a7fd-0c559d9982a5},720,8592,3124620,SecurityEvent,
+,"10/17/2024, 4:21:11.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eimprovement,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{eead7be0-425f-42f5-970b-d28a83011580},720,8592,3124622,SecurityEvent,
+,"10/17/2024, 4:21:11.684 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sackman,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{117661af-91ee-4a93-b399-40a875964559},720,8592,3124626,SecurityEvent,
+,"10/17/2024, 4:21:11.903 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooklyner,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9febd72-74d5-44c3-a73c-8b64ab901be8},720,8592,3124628,SecurityEvent,
+,"10/17/2024, 4:21:11.982 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garaio-ag,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43948276-40c1-4129-8a23-579e44f1d83b},720,8592,3124630,SecurityEvent,
+,"10/17/2024, 4:21:12.426 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southerland,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e6f1804-e63f-4baf-8be9-6c2403a5ec1f},720,8592,3124632,SecurityEvent,
+,"10/17/2024, 4:21:12.934 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elemon,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4b802bcf-025f-4914-99c7-e264fb8776b0},720,8592,3124634,SecurityEvent,
+,"10/17/2024, 4:21:13.063 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,get2living,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd12c83b-3b0c-4e2f-bde6-37a79feea1e4},720,8592,3124636,SecurityEvent,
+,"10/17/2024, 4:21:13.369 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryght,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c48a3673-87ed-466f-9b5d-92976b52fc5f},720,8592,3124638,SecurityEvent,
+,"10/17/2024, 4:21:13.574 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brintons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac5eab36-8810-4c33-81ae-d54cbdd724f5},720,8592,3124640,SecurityEvent,
+,"10/17/2024, 4:21:14.087 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sogur,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e837e76b-57f6-474b-a49e-05a9102c4a9f},720,8592,3124642,SecurityEvent,
+,"10/17/2024, 4:21:14.134 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gigitsecurity,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b64d25be-f82d-46bd-9314-46a28ab3a618},720,8592,3124644,SecurityEvent,
+,"10/17/2024, 4:21:14.698 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebersole,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1eea3754-2ba0-4509-8d7a-1854f52d51e3},720,8592,3124646,SecurityEvent,
+,"10/17/2024, 4:21:15.031 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roseannas,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f34c948-7fe7-4ca6-a617-e25255c69f23},720,8592,3124648,SecurityEvent,
+,"10/17/2024, 4:21:15.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgesolutions,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67edbb0e-07ad-4892-bab9-6a9122317297},720,8592,3124650,SecurityEvent,
+,"10/17/2024, 4:21:15.374 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ggphomart,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2a70743-ea00-4251-8ddf-d2410d1cebbd},720,8592,3124652,SecurityEvent,
+,"10/17/2024, 4:21:15.810 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsrantz,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{024f0dd9-a0df-40d2-bae6-bb287a9ec891},720,8592,3124654,SecurityEvent,
+,"10/17/2024, 4:21:16.588 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagora,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3a9ef8fb-aafb-46e3-97ec-b0dc59c131fe},720,8592,3124656,SecurityEvent,
+,"10/17/2024, 4:21:16.734 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salom,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c856140-3031-410c-a978-560fd5429533},720,8592,3124658,SecurityEvent,
+,"10/17/2024, 4:21:16.931 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,briefcases,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c2817f5-6b95-4ff9-af8b-f785147380ee},720,8592,3124660,SecurityEvent,
+,"10/17/2024, 4:21:16.996 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamingarts,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{32375c83-5888-4029-9c3e-0eb23034adcf},720,8592,3124662,SecurityEvent,
+,"10/17/2024, 4:21:17.479 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsnuts,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19b8bb04-e5f0-4c76-8a00-a22f86034128},720,8592,3124664,SecurityEvent,
+,"10/17/2024, 4:21:18.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gija,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ecb8b50a-2e4d-4e09-9612-f21b1337f952},720,8592,3124666,SecurityEvent,
+,"10/17/2024, 4:21:18.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ectone,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67096ede-8f0a-4da6-9bfd-b95563ac54d5},720,8592,3124668,SecurityEvent,
+,"10/17/2024, 4:21:18.391 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samlarc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5150b9a-f148-4939-a47d-5d73e9070448},720,8592,3124670,SecurityEvent,
+,"10/17/2024, 4:21:18.581 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bozhis,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26c33dd9-d163-4d9c-8e6a-db0dfe12c576},720,8592,3124672,SecurityEvent,
+,"10/17/2024, 4:21:19.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soul-zen,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40a556ac-acb9-4722-9d0c-a395d16d43d3},720,8592,3124674,SecurityEvent,
+,"10/17/2024, 4:21:19.198 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garmac,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d138e8a8-6cb2-4363-b577-e969555b9d4b},720,8592,3124676,SecurityEvent,
+,"10/17/2024, 4:21:20.126 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rudelman,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0352391-3c2d-491d-a758-9c455d5bb06e},720,8592,3124678,SecurityEvent,
+,"10/17/2024, 4:21:20.246 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brazoswood,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0a20c3ce-4ef3-4230-ba66-59fbcd83a75e},720,8592,3124680,SecurityEvent,
+,"10/17/2024, 4:21:20.358 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geowow,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c0df6830-e993-49d3-9007-25eeb3f6f2b2},720,8592,3124682,SecurityEvent,
+,"10/17/2024, 4:21:20.791 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springside,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3509e55-74a4-4f6d-a00b-874505586994},720,8592,3124684,SecurityEvent,
+,"10/17/2024, 4:21:20.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ekalsoft,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6cf3f148-d27f-4519-87c7-b040b729cc46},720,8592,3124686,SecurityEvent,
+,"10/17/2024, 4:21:21.640 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gingerblaast,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{713e8a88-fdec-4bca-a783-4219f46682ea},720,8592,3124688,SecurityEvent,
+,"10/17/2024, 4:21:21.807 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saaslabs,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{13668c08-8975-4a84-991c-47f374258959},720,8592,3124690,SecurityEvent,
+,"10/17/2024, 4:21:21.964 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brusha,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{524944e7-9077-42dd-b1c4-7bac44ba34d0},720,8592,3124692,SecurityEvent,
+,"10/17/2024, 4:21:22.454 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebersohl,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd7fd538-3825-4d5c-854b-89abc1008c35},720,8592,3124694,SecurityEvent,
+,"10/17/2024, 4:21:22.490 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soomaali,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd7aa3a4-f5e8-4cc3-9077-ddef3af9f122},720,8592,3124696,SecurityEvent,
+,"10/17/2024, 4:21:23.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaytanes,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adfd16be-647c-468c-a855-770c87b0d0a5},720,8592,3124698,SecurityEvent,
+,"10/17/2024, 4:21:23.452 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royautes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2b5a73de-3691-4f1e-b873-2230a7a617be},720,8592,3124700,SecurityEvent,
+,"10/17/2024, 4:21:23.622 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buhs,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c63ee58-893f-435a-b49f-b34455e593f0},720,8592,3124702,SecurityEvent,
+,"10/17/2024, 4:21:24.107 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglewindow,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40843699-2f04-4cab-b6e5-836fc7713e31},720,8592,3124704,SecurityEvent,
+,"10/17/2024, 4:21:24.143 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spacesavers,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77a91b59-40db-48fa-8bc7-e770b52dcd40},720,8592,3124706,SecurityEvent,
+,"10/17/2024, 4:21:24.171 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gholson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{efeedd5d-310a-4fd8-a466-a0b25f5021ad},720,8592,3124708,SecurityEvent,
+,"10/17/2024, 4:21:25.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryzome,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4cd89799-6a62-4829-917a-197717d98055},720,8592,3124710,SecurityEvent,
+,"10/17/2024, 4:21:25.304 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brakie,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{281a604b-767d-4fc7-a3c1-f426276bb4ea},720,8592,3124712,SecurityEvent,
+,"10/17/2024, 4:21:25.348 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftdoodle,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dece0e8c-ab86-4577-8f4b-78c01b576a80},720,8592,3124714,SecurityEvent,
+,"10/17/2024, 4:21:25.820 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easirun,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a3f8590-8a11-482a-ab54-dffcdb07bf72},720,8592,3124716,SecurityEvent,
+,"10/17/2024, 4:21:25.831 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprigeo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c7cd6f77-0cc5-4077-bc1e-0adae9d5f630},720,8592,3124718,SecurityEvent,
+,"10/17/2024, 4:21:26.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rrpartners,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4325da1b-36a9-467c-b081-baa9d5a51527},720,8592,3124720,SecurityEvent,
+,"10/17/2024, 4:21:26.867 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gehtsoftusa,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5275e6b7-86f5-430e-bb45-6d81a5bf7ab5},720,8592,3124722,SecurityEvent,
+,"10/17/2024, 4:21:26.972 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bundesbank,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{866cc814-c694-4a89-9bfe-345cb60c20d1},720,8592,3124724,SecurityEvent,
+,"10/17/2024, 4:21:27.620 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spends,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dbb94b25-f773-4fae-82e2-e41f862ebba1},720,8592,3124726,SecurityEvent,
+,"10/17/2024, 4:21:28.017 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,generazio,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5c068857-5925-4816-be2c-4c98afcb688a},720,8592,3124728,SecurityEvent,
+,"10/17/2024, 4:21:28.209 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edilora,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70bb4fdc-8ce8-4b48-92e9-bb46da1e8fe0},720,8592,3124730,SecurityEvent,
+,"10/17/2024, 4:21:28.441 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rotacare,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bccbe6fd-fc9e-44b8-ae86-45c290e9fb24},720,8592,3124732,SecurityEvent,
+,"10/17/2024, 4:21:28.627 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bronfin,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f97a1db-2912-4f8e-a688-9f6db6e2a3cc},720,8592,3124734,SecurityEvent,
+,"10/17/2024, 4:21:29.273 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socialiqapp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{716b4b80-0e0b-49af-9e18-cdef58d3f5fc},720,8592,3124736,SecurityEvent,
+,"10/17/2024, 4:21:29.408 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbfstrategy,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{702624ec-aa8f-4074-a8b1-f51357877273},720,8592,3124738,SecurityEvent,
+,"10/17/2024, 4:21:30.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebricks,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e4a26e77-a3d8-4afa-a230-7bbe927b53cf},720,8592,3124740,SecurityEvent,
+,"10/17/2024, 4:21:30.102 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rymax,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa740742-013e-45ee-8296-7bbbb0b40fba},720,8592,3124742,SecurityEvent,
+,"10/17/2024, 4:21:30.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brynolf,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8879bf4f-aa3c-4b19-8131-5c1ecb271d8e},720,8592,3124744,SecurityEvent,
+,"10/17/2024, 4:21:30.935 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spilled,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9a45391-c87b-4130-883c-1366d46ac2b3},720,8592,3124746,SecurityEvent,
+,"10/17/2024, 4:21:31.576 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garazation,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f8ebef9-0eec-42f9-9f6f-47231383e5e2},720,8592,3124750,SecurityEvent,
+,"10/17/2024, 4:21:31.710 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eblingerpartner,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70b9b906-3081-418d-8003-70c49bcf58c3},720,8592,3124752,SecurityEvent,
+,"10/17/2024, 4:21:31.764 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roirobot,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9c82a58-be42-4250-9113-ed7511165d12},720,8592,3124754,SecurityEvent,
+,"10/17/2024, 4:21:32.020 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brannens,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bb3ec753-e0b2-4182-8ef2-147beeee23f9},720,8592,3124756,SecurityEvent,
+,"10/17/2024, 4:21:32.591 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinalgraft,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b59b760c-ba9b-4014-8584-d8d1897aba62},720,8592,3124758,SecurityEvent,
+,"10/17/2024, 4:21:32.650 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getcontracker,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a730061f-02f7-4316-b1cc-e7afca9cbec2},720,8592,3124760,SecurityEvent,
+,"10/17/2024, 4:21:33.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sadorra,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{42f9a561-5506-4fd7-b5ef-6e936dc0a812},720,8592,3124762,SecurityEvent,
+,"10/17/2024, 4:21:33.674 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunyard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9918621-2a23-4810-b86f-24c81b15b820},720,8592,3124764,SecurityEvent,
+,"10/17/2024, 4:21:33.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geminibe,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e097b306-2d37-4cff-bb9c-ff3ccfa9a075},720,8592,3124766,SecurityEvent,
+,"10/17/2024, 4:21:33.750 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecarclub,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a4d6f48-2065-439a-a587-7b3d6c2e6535},720,8592,3124768,SecurityEvent,
+,"10/17/2024, 4:21:34.307 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedyclean,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1bba566e-93ef-4100-87ba-28a0b2363557},720,8592,3124770,SecurityEvent,
+,"10/17/2024, 4:21:34.813 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gandiva,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{acd62d58-d928-4759-8a09-dbd155566de1},720,8592,3124772,SecurityEvent,
+,"10/17/2024, 4:21:35.131 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sajid,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59ac20e1-2aad-4202-909d-53d57092b352},720,8592,3124774,SecurityEvent,
+,"10/17/2024, 4:21:35.335 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandcrush,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0496143e-d946-4f0a-86b3-898f4c4e818e},720,8592,3124776,SecurityEvent,
+,"10/17/2024, 4:21:35.677 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaternityag,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e7c60fac-7e96-4281-bd45-523ce0c46c8a},720,8592,3124778,SecurityEvent,
+,"10/17/2024, 4:21:35.890 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getlockdown,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{816fdf00-173b-4608-ab28-3533dc7e9158},720,8592,3124780,SecurityEvent,
+,"10/17/2024, 4:21:35.956 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solomo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{db555e38-1cd0-48af-9cb9-c2f0915035ee},720,8592,3124782,SecurityEvent,
+,"10/17/2024, 4:21:36.825 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagona,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed9e2bbe-5f1c-41ee-ae25-382fe37975b3},720,8592,3124784,SecurityEvent,
+,"10/17/2024, 4:21:37.002 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brainiackids,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67de7567-8ac2-4ef3-8774-5939f55aee55},720,8592,3124786,SecurityEvent,
+,"10/17/2024, 4:21:37.084 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getman,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5154446-928e-4377-89fb-bf323efe75c4},720,8592,3124788,SecurityEvent,
+,"10/17/2024, 4:21:37.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebosgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3631b435-7720-4b07-ac64-fd64261226c0},720,8592,3124790,SecurityEvent,
+,"10/17/2024, 4:21:37.605 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soulia,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa73b8ec-b843-4db8-9e95-01b1d5fc6866},720,8592,3124792,SecurityEvent,
+,"10/17/2024, 4:21:38.167 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gen-re,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27b8c346-0ee0-4a6d-a1ea-5964bc455d17},720,8592,3124794,SecurityEvent,
+,"10/17/2024, 4:21:38.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saamya,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{476860b0-6451-414c-bf7a-ca9e9b061c40},720,8592,3124796,SecurityEvent,
+,"10/17/2024, 4:21:38.651 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bundlar,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f7d132d-91e2-415e-a534-87943c47af42},720,8592,3124798,SecurityEvent,
+,"10/17/2024, 4:21:39.174 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eisen-fischer,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e7d10526-5acb-4592-802b-07a8371e8b13},720,8592,3124800,SecurityEvent,
+,"10/17/2024, 4:21:39.245 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garchen,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0af42f3-b72c-481f-9f40-8dbf6bcec477},720,8592,3124802,SecurityEvent,
+,"10/17/2024, 4:21:39.425 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprinly,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a475c39f-3270-483c-a01d-0c29dfbaba01},720,8592,3124804,SecurityEvent,
+,"10/17/2024, 4:21:40.128 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosenvick,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ebe09ef6-bff2-473a-96b1-c831f814d27c},720,8592,3124806,SecurityEvent,
+,"10/17/2024, 4:21:40.414 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooklynchic,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06eda52f-d46e-41c5-9c64-f1293a58cecb},720,8592,3124808,SecurityEvent,
+,"10/17/2024, 4:21:40.929 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gios,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{055fbdc7-3b4d-493c-91ac-61845e273f3c},720,8592,3124810,SecurityEvent,
+,"10/17/2024, 4:21:41.069 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soulwinning,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa23c72f-f69d-4aec-aa46-443a296064df},720,8592,3124812,SecurityEvent,
+,"10/17/2024, 4:21:41.786 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elisium,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce91c38d-eb9a-4671-a044-8feb09e8b0d9},720,8592,3124814,SecurityEvent,
+,"10/17/2024, 4:21:41.787 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rqteam,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7c3a2a4-2cc2-4c9a-bec2-d713c339d98e},720,8592,3124816,SecurityEvent,
+,"10/17/2024, 4:21:42.059 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buro-valk,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b96d4911-aa52-412a-849a-e0ca374a3571},720,8592,3124818,SecurityEvent,
+,"10/17/2024, 4:21:42.080 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gds2,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf053a41-d59f-4ae6-be20-3a4af04690a3},720,8592,3124820,SecurityEvent,
+,"10/17/2024, 4:21:42.715 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spcc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3be994fc-e633-4b34-97b4-76e1bd9f10ae},720,8592,3124822,SecurityEvent,
+,"10/17/2024, 4:21:43.174 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gavda,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d18d680-efc6-4867-9c9f-ede3e8ba5572},720,8592,3124824,SecurityEvent,
+,"10/17/2024, 4:21:43.443 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elifelimo,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3892893-ff7b-477b-866e-48263e1fc120},720,8592,3124826,SecurityEvent,
+,"10/17/2024, 4:21:43.549 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salta,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{13d48308-4888-4b30-ba6e-f0df6e4492b0},720,8592,3124828,SecurityEvent,
+,"10/17/2024, 4:21:43.721 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boxcast,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04afa4bd-9d88-430e-81c3-187e3bb5c3a7},720,8592,3124830,SecurityEvent,
+,"10/17/2024, 4:21:44.249 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemologist,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46f06495-228c-44d8-bc17-5ca5d1297732},720,8592,3124832,SecurityEvent,
+,"10/17/2024, 4:21:44.515 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soleeds,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{98850765-6236-432d-a40a-971d9ccf8e42},720,8592,3124834,SecurityEvent,
+,"10/17/2024, 4:21:45.204 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safelagoon,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c09b5e55-7a6e-4d40-98ce-a7f4d58f3e38},720,8592,3124836,SecurityEvent,
+,"10/17/2024, 4:21:45.247 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econiq,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a8295448-3680-4e53-b098-2d65bc3b359e},720,8592,3124838,SecurityEvent,
+,"10/17/2024, 4:21:45.374 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,branhams,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9e4471b-d2de-4664-949c-554f72513998},720,8592,3124840,SecurityEvent,
+,"10/17/2024, 4:21:45.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftos,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4597d188-084d-4d79-902b-9d42aef719b6},720,8592,3124842,SecurityEvent,
+,"10/17/2024, 4:21:46.158 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spurwing,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{569a52a3-1f4b-4279-98f4-fc29e05091a8},720,8592,3124844,SecurityEvent,
+,"10/17/2024, 4:21:46.901 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salori,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e6d5b0a0-440e-428f-94cb-ba05964eb8d8},720,8592,3124846,SecurityEvent,
+,"10/17/2024, 4:21:46.960 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ectropia,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{332bc5a0-62fb-43aa-97c9-52ffee680b71},720,8592,3124848,SecurityEvent,
+,"10/17/2024, 4:21:47.041 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brownmeyers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a3afc8e-15d5-4af1-a5e4-ebfdacb53620},720,8592,3124850,SecurityEvent,
+,"10/17/2024, 4:21:47.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,georadix,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbe5a415-8791-4dc7-98f2-56e684aff471},720,8592,3124852,SecurityEvent,
+,"10/17/2024, 4:21:47.803 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportcar,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4ce15f6-dff1-4aac-a529-d74c3bdd0928},720,8592,3124854,SecurityEvent,
+,"10/17/2024, 4:21:48.173 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getstarted,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11a77685-96d0-4218-85ab-441bd83168a8},720,8592,3124856,SecurityEvent,
+,"10/17/2024, 4:21:48.641 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruhrpumpen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9448d08f-0bf5-4233-a3f1-b7dedea4a59d},720,8592,3124858,SecurityEvent,
+,"10/17/2024, 4:21:48.689 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightsitez,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b004cf1e-f90d-40a1-9e55-4079ced8fc04},720,8592,3124860,SecurityEvent,
+,"10/17/2024, 4:21:49.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gildemeister,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{79608303-495b-419c-a848-411056704308},720,8592,3124862,SecurityEvent,
+,"10/17/2024, 4:21:49.510 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,squalo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70573944-54d6-45cc-aa74-b0e9404a6b7e},720,8592,3124864,SecurityEvent,
+,"10/17/2024, 4:21:49.612 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecs6be8,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8534139-2080-41c2-80ef-a1e726cd18c7},720,8592,3124866,SecurityEvent,
+,"10/17/2024, 4:21:50.292 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruwach,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{706761c3-d00c-417e-87a1-25e01b582f13},720,8592,3124868,SecurityEvent,
+,"10/17/2024, 4:21:50.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunkerlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1936dbfa-ecc0-4f33-bd00-028e7853af49},720,8592,3124870,SecurityEvent,
+,"10/17/2024, 4:21:50.346 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ganksoft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d9c09ac-c1f1-4854-abf1-f86c2c20401d},720,8592,3124872,SecurityEvent,
+,"10/17/2024, 4:21:51.166 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soluserv,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2664c096-3647-4c7b-82cf-0148825a5a6f},720,8592,3124874,SecurityEvent,
+,"10/17/2024, 4:21:51.265 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcanvas,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f35c48c3-f254-4f16-94b7-67f881d4ba31},720,8592,3124876,SecurityEvent,
+,"10/17/2024, 4:21:51.950 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salwan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1859b21a-f0b4-4957-b389-f6298f1d9928},720,8592,3124878,SecurityEvent,
+,"10/17/2024, 4:21:52.046 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brancore,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fdbc4b36-62a3-4672-9361-fb9ad12d89ef},720,8592,3124880,SecurityEvent,
+,"10/17/2024, 4:21:52.155 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getplaintext,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{116727c7-c709-4574-ac51-a627007b5516},720,8592,3124882,SecurityEvent,
+,"10/17/2024, 4:21:52.822 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solutionwerx,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{814061da-d920-45c1-9eee-9cf849fe97eb},720,8592,3124884,SecurityEvent,
+,"10/17/2024, 4:21:52.915 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electromn,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63e6551c-ce68-45a9-be71-988a4922ced6},720,8592,3124886,SecurityEvent,
+,"10/17/2024, 4:21:53.253 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gatso,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19a0d76b-9dbc-4893-983c-ffce7dd6d60a},720,8592,3124888,SecurityEvent,
+,"10/17/2024, 4:21:53.717 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightfieldts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d79cd764-ece1-47c4-bd1e-07614d9ba5f2},720,8592,3124890,SecurityEvent,
+,"10/17/2024, 4:21:53.763 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rolleston,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04ef5e5d-f3e3-4ce3-9127-60f803aac7c9},720,8592,3124892,SecurityEvent,
+,"10/17/2024, 4:21:54.477 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonotech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24d18b85-3470-49c7-8e16-4f519ebc97ed},720,8592,3124894,SecurityEvent,
+,"10/17/2024, 4:21:54.550 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gawh,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf93d7e4-51b1-4af7-b388-62994a64aea8},720,8592,3124896,SecurityEvent,
+,"10/17/2024, 4:21:54.851 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,egelston,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f38286fe-8f02-4500-bd24-1aab1043f761},720,8592,3124898,SecurityEvent,
+,"10/17/2024, 4:21:55.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bumbinos,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a5f1387f-0291-4ddc-8707-9053f6856938},720,8592,3124900,SecurityEvent,
+,"10/17/2024, 4:21:55.424 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rollupkungen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a2985ae-47da-429e-8c92-96c5a08e8a44},720,8592,3124902,SecurityEvent,
+,"10/17/2024, 4:21:55.863 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gendusa,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0542e997-ec7e-4690-a5cd-3761772b2fae},720,8592,3124904,SecurityEvent,
+,"10/17/2024, 4:21:56.305 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solatrax,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d2799563-6e5c-4559-95ea-2b7cd795bece},720,8592,3124906,SecurityEvent,
+,"10/17/2024, 4:21:56.741 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edvee,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f708555-18a5-41da-bc2f-d4755632b2b0},720,8592,3124908,SecurityEvent,
+,"10/17/2024, 4:21:57.082 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rs21,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ae2b607-5812-42d5-9d2c-dc7d81cb192b},720,8592,3124910,SecurityEvent,
+,"10/17/2024, 4:21:57.088 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,branes,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a53dae79-6be3-4e25-9345-000f17b04b22},720,8592,3124912,SecurityEvent,
+,"10/17/2024, 4:21:57.357 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbaudio,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d699d8ce-35ce-4a5b-b3e3-da0ceaa29dd9},720,8592,3124914,SecurityEvent,
+,"10/17/2024, 4:21:57.961 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spickard,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16e85a86-b86d-4c73-9129-16d5c1de1d00},720,8592,3124916,SecurityEvent,
+,"10/17/2024, 4:21:58.391 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,effectual,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b1b1070-6f51-44f0-9c82-faf51f3690db},720,8592,3124918,SecurityEvent,
+,"10/17/2024, 4:21:58.432 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gematsu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{429bf710-af60-401f-8960-caf525d22c74},720,8592,3124920,SecurityEvent,
+,"10/17/2024, 4:21:58.817 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burgeonvest,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4113d3fb-997a-4a9c-a386-884b3b54baa5},720,8592,3124922,SecurityEvent,
+,"10/17/2024, 4:21:58.852 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagex,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67955f71-8e59-46c5-be10-2a2d580c6b50},720,8592,3124924,SecurityEvent,
+,"10/17/2024, 4:21:59.617 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sqeeqee,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a21f072b-2136-443f-8c7a-dbc0ab2bbc75},720,8592,3124926,SecurityEvent,
+,"10/17/2024, 4:21:59.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getlivfresh,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b99a736e-321d-4b79-9469-bfcfab94ccda},720,8592,3124928,SecurityEvent,
+,"10/17/2024, 4:22:20.022 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softaide,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d6fc6298-f0cf-4b68-aa63-b18f6b7352b5},720,8592,3125052,SecurityEvent,
+,"10/17/2024, 4:22:20.243 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gc1,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3b3b49a-12bc-4597-bb9a-e024d70b9eb7},720,8592,3125054,SecurityEvent,
+,"10/17/2024, 4:22:20.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elster-group,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9e288be0-27e0-4ab2-bc7a-41e6a5765c81},720,8592,3125056,SecurityEvent,
+,"10/17/2024, 4:22:20.518 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bths,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9038dfb-a091-4458-8a17-45abe3ad44af},720,8592,3125058,SecurityEvent,
+,"10/17/2024, 4:22:20.672 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rrawdindds,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2368ad5e-6681-4c16-97e7-ab3b82702085},720,8592,3125060,SecurityEvent,
+,"10/17/2024, 4:22:21.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsgrid,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3202173-8294-47bf-a85c-b03cf2836c12},720,8592,3125062,SecurityEvent,
+,"10/17/2024, 4:22:21.991 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elar,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5af8ab4b-dcdb-4eeb-bf26-c6080f02adcd},720,8592,3125064,SecurityEvent,
+,"10/17/2024, 4:22:22.043 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getneema,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49306eb0-f92c-422b-b6aa-b2960f2b5546},720,8592,3125066,SecurityEvent,
+,"10/17/2024, 4:22:22.194 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,britishboxers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ea400ce4-fb23-4e23-a28c-f8852f658fa8},720,8592,3125068,SecurityEvent,
+,"10/17/2024, 4:22:22.330 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagez,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{818d8262-5a21-4620-a4d8-e273c5b4e80e},720,8592,3125070,SecurityEvent,
+,"10/17/2024, 4:22:23.335 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softlanding,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{58636956-0ac1-4be5-a86e-e5c0048fc643},720,8592,3125072,SecurityEvent,
+,"10/17/2024, 4:22:23.353 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garycollins,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af5e4ad8-65f6-4b0a-95b3-103c462f0664},720,8592,3125074,SecurityEvent,
+,"10/17/2024, 4:22:23.676 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecochlor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dfa3a0b5-b486-4c4f-9d95-49d4ab554dae},720,8592,3125076,SecurityEvent,
+,"10/17/2024, 4:22:23.869 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bryntum,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bde391f1-9498-4e03-b0e0-561104d69b57},720,8592,3125078,SecurityEvent,
+,"10/17/2024, 4:22:23.988 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roreinc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{829fe943-817d-40d1-869b-da16593bc2d4},720,8592,3125080,SecurityEvent,
+,"10/17/2024, 4:22:24.624 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,georgiy,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{75c079c6-e50f-42d8-a0c9-5e723fff3ba6},720,8592,3125082,SecurityEvent,
+,"10/17/2024, 4:22:25.025 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spectramedex,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{905cf9e9-378c-4743-8da1-abc5452cb22f},720,8592,3125084,SecurityEvent,
+,"10/17/2024, 4:22:25.382 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elektrospaeni,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6951f2c-ab9b-44bc-9894-ef954d9a30e1},720,8592,3125086,SecurityEvent,
+,"10/17/2024, 4:22:25.531 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucketlisters,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a6ab63d-3a34-4761-87e7-55165f102917},720,8592,3125088,SecurityEvent,
+,"10/17/2024, 4:22:25.696 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rotisol,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44d144ec-0e97-4bbd-bccd-6f2f94820a1d},720,8592,3125090,SecurityEvent,
+,"10/17/2024, 4:22:25.818 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geturns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f7a81be-441f-45e8-9dcc-d883f07dda2b},720,8592,3125092,SecurityEvent,
+,"10/17/2024, 4:22:26.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solamatrix,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{10d6a318-353d-484b-b26e-c78c346f1461},720,8592,3125094,SecurityEvent,
+,"10/17/2024, 4:22:27.040 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eltech,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1c8ae55-9f9e-4adc-b0a7-37093616e10a},720,8592,3125096,SecurityEvent,
+,"10/17/2024, 4:22:27.234 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brickhd,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96991bb9-9b1b-4ed0-9259-cbc48d344cd0},720,8592,3125098,SecurityEvent,
+,"10/17/2024, 4:22:27.358 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rollrr,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cadc2a72-e23e-4518-bcda-c0ac423bddff},720,8592,3125100,SecurityEvent,
+,"10/17/2024, 4:22:27.657 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getachoo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97cdff46-1432-4082-9a0f-5383e0f8e2a9},720,8592,3125102,SecurityEvent,
+,"10/17/2024, 4:22:28.334 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spidrtech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2990e735-d5c6-437b-a7c9-3ebd3b48d7d3},720,8592,3125104,SecurityEvent,
+,"10/17/2024, 4:22:28.727 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbrx,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2f27b8a-50e2-4d00-ac79-f709e6aa6605},720,8592,3125106,SecurityEvent,
+,"10/17/2024, 4:22:28.748 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eicind,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2e08a80b-9d15-4af9-9a00-8a24f196cff3},720,8592,3125108,SecurityEvent,
+,"10/17/2024, 4:22:28.894 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucheler,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8da42544-8bc6-4f3f-b5d9-8bee57208b4c},720,8592,3125110,SecurityEvent,
+,"10/17/2024, 4:22:29.010 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rupalee,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6be8290f-dcee-42d5-9868-7e560a190b4d},720,8592,3125112,SecurityEvent,
+,"10/17/2024, 4:22:30.111 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spruceitup,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4de426d7-6d71-49c9-843b-4d6793954d6a},720,8592,3125114,SecurityEvent,
+,"10/17/2024, 4:22:30.166 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gastrovision,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3c3e6213-0744-4797-b776-04d0d087368e},720,8592,3125116,SecurityEvent,
+,"10/17/2024, 4:22:30.411 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econorthwest,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37f310f6-25d4-4f1c-83f6-0a0f8cc7e30d},720,8592,3125118,SecurityEvent,
+,"10/17/2024, 4:22:30.577 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bursich,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b92c9df1-755d-4a1f-8e7e-a8627103652c},720,8592,3125120,SecurityEvent,
+,"10/17/2024, 4:22:30.660 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rtbrokerage,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e4c0c70-8a77-4bc4-854d-ba3f1403c6ce},720,8592,3125122,SecurityEvent,
+,"10/17/2024, 4:22:31.270 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghoston,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e43c6496-99df-4588-bb4c-254118daf8b3},720,8592,3125126,SecurityEvent,
+,"10/17/2024, 4:22:31.783 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spearinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8773c4fc-f8b5-46ba-bcd8-89dfef70a493},720,8592,3125128,SecurityEvent,
+,"10/17/2024, 4:22:32.079 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ele-ment,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{210aeb6a-d476-4ffc-bbbf-f0c3a8ed0f77},720,8592,3125130,SecurityEvent,
+,"10/17/2024, 4:22:32.233 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bullen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b04fddb-3c13-4905-9208-3c85139335c5},720,8592,3125132,SecurityEvent,
+,"10/17/2024, 4:22:32.397 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,russi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a4c5c2e-d478-4ec9-aec1-feef4386906b},720,8592,3125134,SecurityEvent,
+,"10/17/2024, 4:22:32.711 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genoox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52c3cca7-382b-4aa2-976b-9ea305bf8220},720,8592,3125136,SecurityEvent,
+,"10/17/2024, 4:22:33.439 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprocketlab,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{646fb2f1-2d22-4aba-b5b7-6825b85f11b1},720,8592,3125138,SecurityEvent,
+,"10/17/2024, 4:22:33.783 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsis,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac3dd5f4-1365-4094-ad93-35a2bf8f4a53},720,8592,3125140,SecurityEvent,
+,"10/17/2024, 4:22:33.801 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gatefeed,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{137a6445-eb78-4e16-a484-9130af57bcec},720,8592,3125142,SecurityEvent,
+,"10/17/2024, 4:22:33.883 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,browdys,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f091b018-bb06-4573-95fd-6e0d724325b8},720,8592,3125144,SecurityEvent,
+,"10/17/2024, 4:22:34.073 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saifs,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5ed49f7-8cd7-4bd2-b87e-e201021167e1},720,8592,3125146,SecurityEvent,
+,"10/17/2024, 4:22:35.186 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somentec,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0308ddf4-8675-40f7-a513-f2235eacec47},720,8592,3125148,SecurityEvent,
+,"10/17/2024, 4:22:35.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftibly,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b08e1b2b-a063-41fe-922e-9e55efeddba8},720,8592,3125150,SecurityEvent,
+,"10/17/2024, 4:22:35.442 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eboard,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a2428f0-c34e-4c90-9d4d-2c4046ca45cb},720,8592,3125152,SecurityEvent,
+,"10/17/2024, 4:22:35.535 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breannabaker,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50ba2491-20b3-4c15-b09b-00cd7a82eeb8},720,8592,3125154,SecurityEvent,
+,"10/17/2024, 4:22:35.719 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samaritan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{956b8c7f-a884-4dd6-be0e-f2eadaae8953},720,8592,3125156,SecurityEvent,
+,"10/17/2024, 4:22:36.666 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,98.70.64.41,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f98eaa0-0d26-45ac-aedb-300af8a59bdb},720,8592,3125158,SecurityEvent,
+,"10/17/2024, 4:22:36.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,glamourcraft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3b915b0c-0187-4dc9-ad3c-d0e6708affe4},720,8592,3125160,SecurityEvent,
+,"10/17/2024, 4:22:36.841 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solidleaders,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{087b8d7f-5dcb-4435-bcf8-0825650516c7},720,8592,3125162,SecurityEvent,
+,"10/17/2024, 4:22:37.091 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebssecurity,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9f4ec09e-9fff-42b0-bc52-6e6334ef8f12},720,8592,3125164,SecurityEvent,
+,"10/17/2024, 4:22:37.188 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burtco,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{29519bb0-e5bd-4e24-84ec-83d81975fcb3},720,8592,3125166,SecurityEvent,
+,"10/17/2024, 4:22:37.399 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rpi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc9251e2-2a93-4f24-92d3-1991ca6d1304},720,8592,3125168,SecurityEvent,
+,"10/17/2024, 4:22:38.245 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghermez,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf3f3a2b-f67e-4c11-9ad2-ad4f9cdeb5af},720,8592,3125170,SecurityEvent,
+,"10/17/2024, 4:22:38.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soothsayre,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d9562c1-1f64-488d-b0b3-0908d75ad35b},720,8592,3125172,SecurityEvent,
+,"10/17/2024, 4:22:38.747 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eldersource,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c215ab1b-d523-46c7-84e1-2bb1cab37074},720,8592,3125174,SecurityEvent,
+,"10/17/2024, 4:22:38.842 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breuning,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4e1e17dc-3338-4139-8cb8-33aa9795cd5f},720,8592,3125176,SecurityEvent,
+,"10/17/2024, 4:22:39.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomian,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d34f1a5-1088-491e-8d0b-6dc789b47437},720,8592,3125178,SecurityEvent,
+,"10/17/2024, 4:22:39.888 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gencoshipping,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5c2cc1c5-ae23-4717-85f6-f55e31e1b6f5},720,8592,3125180,SecurityEvent,
+,"10/17/2024, 4:22:40.150 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softcube,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{152bcfbc-502c-489c-9e72-af1baa594770},720,8592,3125182,SecurityEvent,
+,"10/17/2024, 4:22:40.429 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earthblend,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{448bd2d8-bed5-4034-be21-886a90483ff5},720,8592,3125184,SecurityEvent,
+,"10/17/2024, 4:22:40.500 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brimore,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6e040c7-0761-46a2-9363-33915ccf8934},720,8592,3125186,SecurityEvent,
+,"10/17/2024, 4:22:40.697 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rondeux,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{612c1d9d-bc0f-49e1-b941-0e5d595a1be1},720,8592,3125188,SecurityEvent,
+,"10/17/2024, 4:22:41.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gardenghi,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fab44514-030f-4959-952b-73093de50626},720,8592,3125190,SecurityEvent,
+,"10/17/2024, 4:22:41.844 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportyhq,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0873a47-b106-461f-aba2-ac04322a7bf5},720,8592,3125192,SecurityEvent,
+,"10/17/2024, 4:22:42.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breykrause,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca575b70-bb1b-442c-b44f-c7332288ed86},720,8592,3125194,SecurityEvent,
+,"10/17/2024, 4:22:42.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elhilow,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5d3b876f-8b56-4b7a-a165-7e0faf2e74d1},720,8592,3125196,SecurityEvent,
+,"10/17/2024, 4:22:42.403 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samsontug,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{07eb3697-77b8-4aec-8042-4d62f900c23b},720,8592,3125198,SecurityEvent,
+,"10/17/2024, 4:22:42.761 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfire,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{019478bf-ced8-4f95-81b6-e782f8f73c45},720,8592,3125200,SecurityEvent,
+,"10/17/2024, 4:22:43.491 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotamate,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d583f888-d269-4733-92de-792cff415361},720,8592,3125202,SecurityEvent,
+,"10/17/2024, 4:22:43.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsome,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{08b0cae4-a5f5-4af4-99c9-3f8e81374a42},720,8592,3125204,SecurityEvent,
+,"10/17/2024, 4:22:43.813 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bruzel,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{877661f1-7f1d-4b66-92df-4d993eb78848},720,8592,3125206,SecurityEvent,
+,"10/17/2024, 4:22:44.060 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-banking,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2af366e9-39da-47da-bdfc-d2df2ead64bf},720,8592,3125208,SecurityEvent,
+,"10/17/2024, 4:22:44.734 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gethiyu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9275ba98-0546-4dff-b3c0-4d9d5bbfd24d},720,8592,3125210,SecurityEvent,
+,"10/17/2024, 4:22:45.156 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonburst,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f613e880-01a7-4cf1-8907-32cbb1b5c782},720,8592,3125212,SecurityEvent,
+,"10/17/2024, 4:22:45.458 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagle-prec,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{269997c9-8f2a-43a6-bafc-b67112ba73f6},720,8592,3125214,SecurityEvent,
+,"10/17/2024, 4:22:45.471 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bpassionit,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f72997d8-9738-4f4b-90e1-ddd35034fa26},720,8592,3125216,SecurityEvent,
+,"10/17/2024, 4:22:45.706 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesmate,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97d37fbf-dda9-43dc-a224-86da611d9e71},720,8592,3125218,SecurityEvent,
+,"10/17/2024, 4:22:46.059 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gancos,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d1a29a36-c897-4955-90f8-ab2d5a647352},720,8592,3125220,SecurityEvent,
+,"10/17/2024, 4:22:46.975 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sorma,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{137faf31-7b49-48d8-b7cd-bd9949360116},720,8592,3125222,SecurityEvent,
+,"10/17/2024, 4:22:47.114 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eligio,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36c9de7a-7f7a-4b35-a3aa-860a74ceb218},720,8592,3125224,SecurityEvent,
+,"10/17/2024, 4:22:47.126 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buckservices,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{047b68ab-0263-4132-bb31-17675b72205e},720,8592,3125226,SecurityEvent,
+,"10/17/2024, 4:22:47.390 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabourin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6244bbca-7e09-477f-bd13-bf77bd9d6967},720,8592,3125228,SecurityEvent,
+,"10/17/2024, 4:22:47.584 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gisukltd,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{39286978-8232-40f5-a1ea-7576d72d19d8},720,8592,3125230,SecurityEvent,
+,"10/17/2024, 4:22:48.633 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprylyfe,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3970c11a-98f6-4f3d-8f24-ba374c27d5a7},720,8592,3125232,SecurityEvent,
+,"10/17/2024, 4:22:48.792 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eliasarts,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17b6494d-185c-493f-9e37-147c7215db24},720,8592,3125234,SecurityEvent,
+,"10/17/2024, 4:22:48.855 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandfocusgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fe5928d5-c054-4b1d-95e3-84e53005e4e1},720,8592,3125236,SecurityEvent,
+,"10/17/2024, 4:22:48.907 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammavacuum,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03fa6521-0ce0-4d8a-a815-d54b3a9542c7},720,8592,3125238,SecurityEvent,
+,"10/17/2024, 4:22:49.069 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubyseven,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8f761d7-707d-42d9-82b5-18b0c2945f27},720,8592,3125240,SecurityEvent,
+,"10/17/2024, 4:22:50.157 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geeksandgurus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dadc855a-037c-4598-9a50-cecb624730af},720,8592,3125242,SecurityEvent,
+,"10/17/2024, 4:22:50.288 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprinfield,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cc1aec37-04f2-4f6a-8bce-52071767398a},720,8592,3125244,SecurityEvent,
+,"10/17/2024, 4:22:50.501 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brockton,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c2f5e7a-277c-4515-9cdb-978e2b464cf1},720,8592,3125246,SecurityEvent,
+,"10/17/2024, 4:22:50.595 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgecase,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9957c744-8073-4d1c-8945-de2d28c1a171},720,8592,3125248,SecurityEvent,
+,"10/17/2024, 4:22:50.731 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sahloul,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99246d5e-a31a-483d-b6e8-c6e831853176},720,8592,3125250,SecurityEvent,
+,"10/17/2024, 4:22:51.497 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garison,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77890354-51a2-435b-bf16-add9d93ee491},720,8592,3125252,SecurityEvent,
+,"10/17/2024, 4:22:52.109 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springan,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e594e294-801e-426a-ace8-5d6c145f7ed5},720,8592,3125254,SecurityEvent,
+,"10/17/2024, 4:22:52.279 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,braga,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{53b9846e-2e9b-4fa8-95bd-275be3b3d819},720,8592,3125256,SecurityEvent,
+,"10/17/2024, 4:22:52.337 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebuehl,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1a7fb210-30da-49c7-b177-5f3f7b177a84},720,8592,3125258,SecurityEvent,
+,"10/17/2024, 4:22:52.384 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rogerswillard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{55a1f08e-e741-4d7a-be29-3b2506fbaa43},720,8592,3125260,SecurityEvent,
+,"10/17/2024, 4:22:52.716 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geskus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e0c5687-884e-4d01-af2c-fa21f2607005},720,8592,3125262,SecurityEvent,
+,"10/17/2024, 4:22:53.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotterlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{138deac9-d6e6-469d-b909-c77506a8082b},720,8592,3125264,SecurityEvent,
+,"10/17/2024, 4:22:53.860 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genrrate,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e43a1401-3d97-441a-aa54-0e62fffc07b5},720,8592,3125266,SecurityEvent,
+,"10/17/2024, 4:22:53.957 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bountea,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d05a78a-06e4-4b23-af74-2241304c64e6},720,8592,3125268,SecurityEvent,
+,"10/17/2024, 4:22:53.995 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebm-gmbh,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{108d5797-68a0-429b-8d58-1ffe2a48f7e0},720,8592,3125270,SecurityEvent,
+,"10/17/2024, 4:22:54.179 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rooftek,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{761b3b90-925f-47b9-bf80-7601f1a3d8bd},720,8592,3125272,SecurityEvent,
+,"10/17/2024, 4:22:55.326 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gkd-re,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9f0f4841-0e06-4d75-a8ad-0b57816bd469},720,8592,3125274,SecurityEvent,
+,"10/17/2024, 4:22:55.416 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportpharm,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bae202b9-5777-4dd5-846e-183b3301a6e4},720,8592,3125276,SecurityEvent,
+,"10/17/2024, 4:22:55.602 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brastrom,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc9beb8c-7356-4fce-ac1e-33be90d0e667},720,8592,3125278,SecurityEvent,
+,"10/17/2024, 4:22:55.648 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecpnetwork,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a133b605-a964-435c-8e5a-f735aa37618b},720,8592,3125280,SecurityEvent,
+,"10/17/2024, 4:22:55.882 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rusd,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8e129976-9e94-4229-b0c5-c3f2915789fd},720,8592,3125282,SecurityEvent,
+,"10/17/2024, 4:22:57.115 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softwaremart,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1c24aeb7-6030-4299-95ea-19ab2fd136a0},720,8592,3125284,SecurityEvent,
+,"10/17/2024, 4:22:57.148 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamified,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c92fe927-ed38-4101-81df-332f3cabc857},720,8592,3125286,SecurityEvent,
+,"10/17/2024, 4:22:57.441 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elcona,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bddb74fe-7da3-4c79-8e24-72cd2e9879d8},720,8592,3125288,SecurityEvent,
+,"10/17/2024, 4:22:57.448 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildr,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{769fbc51-4617-4f1c-84e7-fc616b26f723},720,8592,3125290,SecurityEvent,
+,"10/17/2024, 4:22:57.541 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,s2bn,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba4c6b30-0e85-495f-8bc0-04009c23d048},720,8592,3125292,SecurityEvent,
+,"10/17/2024, 4:22:58.282 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemark,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7094342f-84b4-4f66-9c7a-df5f74c9acdd},720,8592,3125294,SecurityEvent,
+,"10/17/2024, 4:22:58.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sperry,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{862376ca-50dc-4deb-b12d-8ab61bcfccd9},720,8592,3125296,SecurityEvent,
+,"10/17/2024, 4:22:59.100 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eikolytics-ab,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8ce3ce1-d252-46c1-bbc5-8f09bff21fc0},720,8592,3125298,SecurityEvent,
+,"10/17/2024, 4:22:59.190 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rohdes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dfef14a2-916c-4c97-b8d1-79c9f885e4e7},720,8592,3125300,SecurityEvent,
+,"10/17/2024, 4:22:59.234 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boulderwear,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{737d34ab-7e01-4a4f-a2b3-f004c91b2671},720,8592,3125302,SecurityEvent,
+,"10/17/2024, 4:22:59.753 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getasapp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c34fb7bc-4a12-415c-9011-f27ac9c76205},720,8592,3125304,SecurityEvent,
+,"10/17/2024, 4:23:20.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getpixus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cc858f22-c153-4203-8f26-c756e8deb75d},720,8164,3125430,SecurityEvent,
+,"10/17/2024, 4:23:20.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eckhouse,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{31c6c067-f574-4f16-902d-47111645cf5e},720,8164,3125432,SecurityEvent,
+,"10/17/2024, 4:23:20.799 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sodexhp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dcfda2b5-78ae-40fa-9fc0-5173e5fb88ee},720,8164,3125434,SecurityEvent,
+,"10/17/2024, 4:23:21.272 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bubcart,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{48f59831-ed83-41c2-a057-a50b21b5a35c},720,8164,3125436,SecurityEvent,
+,"10/17/2024, 4:23:21.507 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safetypg,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adc0ef14-aabc-4e68-a1cd-176e002159a2},720,8164,3125438,SecurityEvent,
+,"10/17/2024, 4:23:22.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebo,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{689033df-ef9b-4bbc-b569-7633fbc7e067},720,8164,3125440,SecurityEvent,
+,"10/17/2024, 4:23:22.458 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spyne,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c155aaba-8aa9-4fc6-9668-d5d7fda258d2},720,8164,3125442,SecurityEvent,
+,"10/17/2024, 4:23:22.759 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getklox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{923cd4e6-5e44-4267-b140-602e7689d5fc},720,8164,3125444,SecurityEvent,
+,"10/17/2024, 4:23:22.925 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brazenglobal,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03b4fd03-d1c6-450f-9d22-a05ceef09064},720,8164,3125446,SecurityEvent,
+,"10/17/2024, 4:23:23.165 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ronsen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e99d341f-05ea-4cb8-8160-79af7b96360d},720,8164,3125448,SecurityEvent,
+,"10/17/2024, 4:23:24.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonnentaler,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d5692777-aad4-424c-bd62-48504040a69d},720,8164,3125450,SecurityEvent,
+,"10/17/2024, 4:23:24.114 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eklipse,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a59203fc-4b34-4bc8-af6f-96733ddc054b},720,8164,3125452,SecurityEvent,
+,"10/17/2024, 4:23:24.150 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbrabs,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{555c139f-66ac-432a-9485-f89a51e9142c},720,8164,3125454,SecurityEvent,
+,"10/17/2024, 4:23:24.638 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightkite,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d904b7b-a806-472f-84fe-8e9ce8f8aed2},720,8164,3125456,SecurityEvent,
+,"10/17/2024, 4:23:24.826 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rygre,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{12e98a88-90c2-41f0-9e7f-af50427975b3},720,8164,3125458,SecurityEvent,
+,"10/17/2024, 4:23:25.557 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilliatte,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44bc8260-c3b8-413f-b249-89c856b46501},720,8164,3125460,SecurityEvent,
+,"10/17/2024, 4:23:25.852 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solmed,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{001202b6-a5c2-4de8-868d-0d3a0ece68b4},720,8164,3125462,SecurityEvent,
+,"10/17/2024, 4:23:26.118 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ehrlinked,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{69c2c90e-9fbe-4d4c-8649-a867d967ef88},720,8164,3125464,SecurityEvent,
+,"10/17/2024, 4:23:26.298 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breathrx,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3f0f28ca-0b64-4f02-b0d1-2254e6556957},720,8164,3125466,SecurityEvent,
+,"10/17/2024, 4:23:26.483 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samsungnext,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c6575183-e91d-4680-a641-7540a6902a50},720,8164,3125468,SecurityEvent,
+,"10/17/2024, 4:23:27.306 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcmc,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca94e0f6-7d03-4a8e-8da0-d4cad0cccbd5},720,8164,3125470,SecurityEvent,
+,"10/17/2024, 4:23:27.505 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somes,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b25893e2-58ad-4063-82f8-02544a1eed3c},720,8164,3125472,SecurityEvent,
+,"10/17/2024, 4:23:27.765 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easween,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{753cac7f-96cd-41b4-b065-52ca3af1deaa},720,8164,3125474,SecurityEvent,
+,"10/17/2024, 4:23:27.952 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brownmark,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9bda09c7-04ad-4b16-b8b2-f5f190b73418},720,8164,3125476,SecurityEvent,
+,"10/17/2024, 4:23:28.261 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruhlampruhl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{60142875-616e-4ff5-a13f-f38694b5a7fa},720,8164,3125478,SecurityEvent,
+,"10/17/2024, 4:23:29.165 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spirinet,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9635f0ca-b3ee-4349-91e9-5a6337715cb0},720,8164,3125480,SecurityEvent,
+,"10/17/2024, 4:23:29.422 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electregy,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a76520e5-a25a-45b0-85cf-e6d82b46154d},720,8164,3125482,SecurityEvent,
+,"10/17/2024, 4:23:29.440 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geovista,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{41b3305a-cbe4-4936-99e0-b2af60b7bb6c},720,8164,3125484,SecurityEvent,
+,"10/17/2024, 4:23:29.607 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brattleworks,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf74f421-5a20-4c65-be28-dedd44ea8b6d},720,8164,3125486,SecurityEvent,
+,"10/17/2024, 4:23:29.978 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saloonbox,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{528a88e5-000f-4571-b079-725f8e6881b1},720,8164,3125488,SecurityEvent,
+,"10/17/2024, 4:23:30.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedees,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{71333e9c-37f4-495e-b0df-1f1aae7ccab5},720,8164,3125490,SecurityEvent,
+,"10/17/2024, 4:23:31.087 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebed,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{397f3858-d2e6-4f7c-a3f4-5196ff2ea2d5},720,8164,3125494,SecurityEvent,
+,"10/17/2024, 4:23:31.243 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garabar,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1cea8ab5-0662-4bd3-aaa9-f4cbcbeb21fb},720,8164,3125496,SecurityEvent,
+,"10/17/2024, 4:23:31.324 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildabrand,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a33e71e0-d722-43c0-90fd-4063bb032188},720,8164,3125498,SecurityEvent,
+,"10/17/2024, 4:23:31.637 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rx-precision,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9db45f8-15c8-459a-880c-0df2be50025b},720,8164,3125500,SecurityEvent,
+,"10/17/2024, 4:23:32.611 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sovie,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46c4346b-c182-429e-8a9f-10bf72cdc1a2},720,8164,3125502,SecurityEvent,
+,"10/17/2024, 4:23:32.614 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giashi,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7da51b17-c6b0-400a-8c8a-16806a056350},720,8164,3125504,SecurityEvent,
+,"10/17/2024, 4:23:32.743 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edine,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02b55da4-fc1e-4105-aa17-719ac9f5533c},720,8164,3125506,SecurityEvent,
+,"10/17/2024, 4:23:33.017 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bussum,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bddaaafb-3ffd-4113-8829-814b6075eeb6},720,8164,3125508,SecurityEvent,
+,"10/17/2024, 4:23:33.418 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosewich,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e320684-3180-4213-8305-8960fa665a22},720,8164,3125510,SecurityEvent,
+,"10/17/2024, 4:23:34.190 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbbcouncil,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ecc1d784-49f0-484a-9e6f-91864a12dfe7},720,8164,3125512,SecurityEvent,
+,"10/17/2024, 4:23:34.266 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somerdale,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5cb75a7a-db0e-41f0-8876-0dcde4f4c3cf},720,8164,3125514,SecurityEvent,
+,"10/17/2024, 4:23:34.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellomobile,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4fbaf032-9416-45ef-9e2b-525dff4ffaad},720,8164,3125516,SecurityEvent,
+,"10/17/2024, 4:23:34.671 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,budoff,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f73e7dde-2caa-4be2-8f95-4485438b588e},720,8164,3125518,SecurityEvent,
+,"10/17/2024, 4:23:35.072 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roll20,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5162fbf-e08d-4b89-9b1c-bdc2d0968d06},720,8164,3125520,SecurityEvent,
+,"10/17/2024, 4:23:35.961 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sperlversand,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6867541-9802-490a-adc7-6e9b03c2aaae},720,8164,3125522,SecurityEvent,
+,"10/17/2024, 4:23:36.027 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gartrellgroup,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ba50c30-dd48-4699-aca7-24843903db5d},720,8164,3125524,SecurityEvent,
+,"10/17/2024, 4:23:36.111 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edisonreklam,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ec0409c-7869-4b4d-86f5-fdd6deef5410},720,8164,3125526,SecurityEvent,
+,"10/17/2024, 4:23:36.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,building421,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11e97a4c-82b6-47d6-b646-b95bab675d63},720,8164,3125528,SecurityEvent,
+,"10/17/2024, 4:23:36.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rushden,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{180d5d69-98cb-47a2-9a59-041dd284dded},720,8164,3125530,SecurityEvent,
+,"10/17/2024, 4:23:37.387 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaum,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4ecac04-2ff5-4979-99b5-5c18af3fef62},720,8164,3125532,SecurityEvent,
+,"10/17/2024, 4:23:37.648 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sostrom,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba1024bf-5611-4d5c-b90f-aa0d51a9093e},720,8164,3125534,SecurityEvent,
+,,,ASHTravel\CPC-U126T-0G49H$,Machine,devops-vm,Microsoft-Windows-Security-Auditing,Security,12545,,,4634,4634 - An account was logged off.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ASHTravel\CPC-U126T-0G49H$,ASHTravel,,,0x9e6cad9,,,,,,CPC-U126T-0G49H$,S-1-5-21-720421519-3183328870-3616890059-4119,,,,,,,,,,,,,,,,,LogAlways,51fccf8c-2834-49f9-b05c-446e5cdefb09,,,,,,,,,844,5988,363506,SecurityEvent,
diff --git a/Sample Data/Custom/Tenable_VM_Compliance_CL.json b/Sample Data/Custom/Tenable_VM_Compliance_CL.json
new file mode 100644
index 00000000000..44bedbf0da5
--- /dev/null
+++ b/Sample Data/Custom/Tenable_VM_Compliance_CL.json	
@@ -0,0 +1,4930 @@
+[
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "ece8faf2556e0834dc0eb532431197834b683afa77d7a13aeee19caea576e706",
+    "check_name_s": "2.2.9 Ensure IMAP and POP3 server is not installed - cyrus-imapd",
+    "check_info_s": "dovecot is an open source IMAP and POP3 server for Linux based systems.\n\nRationale:\n\nUnless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface.\n\nNote: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required.",
+    "expected_value_s": "operator: lte\nrpm: cyrus-imapd-0.0.0-0\nsystem: Linux",
+    "actual_value_s": "The package 'cyrus-imapd-0.0.0-0' is not installed",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.4.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.6"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.7"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-7"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "9.2"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.IP-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-7"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15a"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "2.2.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "2.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Run the following command to remove dovecot and cyrus-imapd:\n\n# dnf remove dovecot cyrus-imapd\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "2.2.9 Ensure IMAP and POP3 server is not installed - cyrus-imapd: [PASSED]\"\n\ndovecot is an open source IMAP and POP3 server for Linux based systems.\n\nRationale:\n\nUnless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface.\n\nNote: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required.\n\nSolution:\nRun the following command to remove dovecot and cyrus-imapd:\n\n# dnf remove dovecot cyrus-imapd\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\noperator: lte\nrpm: cyrus-imapd-0.0.0-0\nsystem: Linux\n\nActual Value:\n The package 'cyrus-imapd-0.0.0-0' is not installed",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "167059e0b015998cb54749aba770dab01a8762c2a53c731bf68b725f4a00f542",
+    "compliance_full_id_s": "ece8faf2556e0834dc0eb532431197834b683afa77d7a13aeee19caea576e706",
+    "compliance_functional_id_s": "885c095206",
+    "compliance_informational_id_s": "8b88c045fca7d58424b39f8381f12f02b8cc65f8ddcaa96d6b971e37cf7c81ab",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "317423c8e0dc055f4f5617615956199e915d4da4792b458e4d268f825e284498",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "71bfad6eaa9f9137543f3f7e31ef0777d2e2c9c59ecc1d151eab065f74c7d031",
+    "check_name_s": "4.1.3.8 Ensure events that modify user/group information are collected - /etc/security/opasswd",
+    "check_info_s": "Record events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.",
+    "expected_value_s": "cmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.8 Ensure events that modify user/group information are collected - /etc/security/opasswd: [FAILED]\"\n\nRecord events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "d61367b397bf263134281345942027fcd798faa4c5d6353b9fe8a10797ae286b",
+    "compliance_full_id_s": "71bfad6eaa9f9137543f3f7e31ef0777d2e2c9c59ecc1d151eab065f74c7d031",
+    "compliance_functional_id_s": "c3a3eb27ad",
+    "compliance_informational_id_s": "0ebdfe8388ad7c316191190c53408a45bb7a19be4b128fbe99e86f6d629f750c",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "ea4f97c2bf9124a3ceb4cd542ac0744a1cfcb3a8bfb022431805863b931dca2f",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "66e1ced6b3285a29d86ca062d7e03b0e20630d271ea9af9f561bd84a51119227",
+    "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 fchown",
+    "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.",
+    "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 fchown: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821",
+    "compliance_full_id_s": "66e1ced6b3285a29d86ca062d7e03b0e20630d271ea9af9f561bd84a51119227",
+    "compliance_functional_id_s": "dbf310cbed",
+    "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "592ae116de7793ad209255dd3007cf0a8e2e218e76760d50a3f15e536e37b519",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "6b4bede1185694c0d2200e1bc07bc7ba4ddda7803cebdef10328dc1d8bd17b1a",
+    "check_name_s": "1.1.2.2 Ensure nodev option set on /tmp partition",
+    "check_info_s": "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale:\n\nSince the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.",
+    "expected_value_s": "cmd: /usr/bin/findmnt --kernel /tmp\nexpect: [\\s]*[,]?nodev\nsystem: Linux",
+    "actual_value_s": "The command '/usr/bin/findmnt --kernel /tmp' did not return any result",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.4.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.6"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.7"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-7"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "9.2"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.IP-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-7"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15a"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "2.2.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "2.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition.\nExample:\n\n<device> /tmp    <fstype>     defaults,rw,nosuid,nodev,noexec,relatime  0 0\n\nRun the following command to remount /tmp with the configured options:\n\n# mount -o remount /tmp",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "1.1.2.2 Ensure nodev option set on /tmp partition: [FAILED]\"\n\nThe nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale:\n\nSince the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.\n\nSolution:\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition.\nExample:\n\n<device> /tmp    <fstype>     defaults,rw,nosuid,nodev,noexec,relatime  0 0\n\nRun the following command to remount /tmp with the configured options:\n\n# mount -o remount /tmp\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\ncmd: /usr/bin/findmnt --kernel /tmp\nexpect: [\\s]*[,]?nodev\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/findmnt --kernel /tmp' did not return any result",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "c21c81eca23d7d2755f3e42c2996803dad7070ac873643cbf4605db9b0f87845",
+    "compliance_full_id_s": "6b4bede1185694c0d2200e1bc07bc7ba4ddda7803cebdef10328dc1d8bd17b1a",
+    "compliance_functional_id_s": "fd7a571e5e",
+    "compliance_informational_id_s": "b0eab6c2dcbafba2ab8e05bbd2af7b42d9c973d65343af6c4b6093deebbe3b7d",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "16f64094cc56e2fa58284a3c74869fc86b82f445602ea2c638c60eb0898d1a1b",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "d7adf2fd57203608b90295c6c7c4c1a6fb76399ee9b79cb63f17b564b7b213dd",
+    "check_name_s": "5.1.1 Ensure cron daemon is enabled",
+    "check_info_s": "The cron daemon is used to execute batch jobs on the system.\n\nRationale:\n\nWhile there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them.",
+    "expected_value_s": "cmd: /*******\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux",
+    "actual_value_s": "The command returned : \n\nenabled",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.4.8"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-7(5)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-7(5)"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.IP-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.12.5.1"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.12.6.2"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-7"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15a"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "2.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "2.3"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "44.2.2"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "49.2.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Run the following command to enable cron:\n\n# systemctl --now enable crond\n\nAdditional Information:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nNIST SP 800-53 Rev. 5:\n\nCM-1\n\nCM-2\n\nCM-6\n\nCM-7\n\nIA-5\n\nMITRE ATT&CK Mappings:\n\nTechniques / Sub-techniques\n\nTactics\n\nMitigations\n\nT1562, T1562.001\n\nTA0005\n\nM1018",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "5.1.1 Ensure cron daemon is enabled: [PASSED]\"\n\nThe cron daemon is used to execute batch jobs on the system.\n\nRationale:\n\nWhile there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them.\n\nSolution:\nRun the following command to enable cron:\n\n# systemctl --now enable crond\n\nAdditional Information:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nNIST SP 800-53 Rev. 5:\n\nCM-1\n\nCM-2\n\nCM-6\n\nCM-7\n\nIA-5\n\nMITRE ATT&CK Mappings:\n\nTechniques / Sub-techniques\n\nTactics\n\nMitigations\n\nT1562, T1562.001\n\nTA0005\n\nM1018\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.8), ComplianceReference(framework=800-53, control=CM-7(5)), ComplianceReference(framework=800-53r5, control=CM-7(5)), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.12.5.1), ComplianceReference(framework=ISO/IEC-27001, control=A.12.6.2), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3), ComplianceReference(framework=TBA-FIISB, control=44.2.2), ComplianceReference(framework=TBA-FIISB, control=49.2.3)}\n\nPolicy Value:\ncmd: /*******\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\n The command returned : \n\nenabled",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "75f9187fa5f514629626891335d713da676996a8c24c7e04a3c5aedcbfb88093",
+    "compliance_full_id_s": "d7adf2fd57203608b90295c6c7c4c1a6fb76399ee9b79cb63f17b564b7b213dd",
+    "compliance_functional_id_s": "6cba02de15",
+    "compliance_informational_id_s": "0e35b915f114afc03d7e596c62646c1428f0b0f5afb2e7fc48d73e7f2a65fe72",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "f4270d2538a00348af5b3cc314d2588db370a783bc1feb8b2085bbff7ee58ebc",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "0d6d85ea6242503eb6c928f1776377b8bc7ab16a5b6973c59ca43151a6deb935",
+    "check_name_s": "3.4.2.3 Ensure nftables base chains exist - firewall misconfigured",
+    "check_info_s": "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.\n\nRationale:\n\nIf a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.\n\nImpact:\n\nIf configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity.\n\nEnsure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop",
+    "expected_value_s": "cmd: multiple line script\ndont_echo_cmd: NO\nexpect: (?i)^[\\s]*\\**[\\s]*pass:?[\\s]*\\**$",
+    "actual_value_s": "The command script with multiple lines returned : \n\n- Audit Results:\n ** Fail **\n - Neither FirewallD or NFTables is installed.",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.13.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.13.5"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.13.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "CA-9"
+      },
+      {
+        "framework": "800-53",
+        "control": "SC-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "SC-7(5)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CA-9"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "SC-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "SC-7(5)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.2(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.6(j)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "9.4"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "4.4"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "ID.AM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.AC-5"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.DS-5"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-4"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.d"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.2"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.13.1.3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "SC-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "SC-7(5)"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T4.5.4"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "GS1"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "GS2a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "GS2b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "GS7b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "NS25"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "1.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "1.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "1.2.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "1.3"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "1.2.1"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "1.4.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "4.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.3"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "2.1"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "43.1"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Run the following command to create the base chains:\n\n# nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 ; }\n\nExample:\n\n# nft create chain inet filter input { type filter hook input priority 0 ; }\n# nft create chain inet filter forward { type filter hook forward priority 0 ; }\n# nft create chain inet filter output { type filter hook output priority 0 ; }\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCA-9",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "3.4.2.3 Ensure nftables base chains exist - firewall misconfigured: [FAILED]\"\n\nChains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.\n\nRationale:\n\nIf a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.\n\nImpact:\n\nIf configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity.\n\nEnsure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop\n\nSolution:\nRun the following command to create the base chains:\n\n# nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 ; }\n\nExample:\n\n# nft create chain inet filter input { type filter hook input priority 0 ; }\n# nft create chain inet filter forward { type filter hook forward priority 0 ; }\n# nft create chain inet filter output { type filter hook output priority 0 ; }\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCA-9\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.13.1), ComplianceReference(framework=800-171, control=3.13.5), ComplianceReference(framework=800-171, control=3.13.6), ComplianceReference(framework=800-53, control=CA-9), ComplianceReference(framework=800-53, control=SC-7), ComplianceReference(framework=800-53, control=SC-7(5)), ComplianceReference(framework=800-53r5, control=CA-9), ComplianceReference(framework=800-53r5, control=SC-7), ComplianceReference(framework=800-53r5, control=SC-7(5)), ComplianceReference(framework=CN-L3, control=7.1.2.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(j)), ComplianceReference(framework=CSCv7, control=9.4), ComplianceReference(framework=CSCv8, control=4.4), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=ID.AM-3), ComplianceReference(framework=CSF, control=PR.AC-5), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-4), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=GDPR, control=32.1.d), ComplianceReference(framework=GDPR, control=32.2), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.13.1.3), ComplianceReference(framework=ITSG-33, control=SC-7), ComplianceReference(framework=ITSG-33, control=SC-7(5)), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T4.5.4), ComplianceReference(framework=NIAv2, control=GS1), ComplianceReference(framework=NIAv2, control=GS2a), ComplianceReference(framework=NIAv2, control=GS2b), ComplianceReference(framework=NIAv2, control=GS7b), ComplianceReference(framework=NIAv2, control=NS25), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.2.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.3), ComplianceReference(framework=PCI-DSSv4.0, control=1.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=1.4.1), ComplianceReference(framework=QCSC-v1, control=4.2), ComplianceReference(framework=QCSC-v1, control=5.2.1), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=5.2.3), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=SWIFT-CSCv1, control=2.1), ComplianceReference(framework=TBA-FIISB, control=43.1)}\n\nPolicy Value:\ncmd: multiple line script\ndont_echo_cmd: NO\nexpect: (?i)^[\\s]*\\**[\\s]*pass:?[\\s]*\\**$\n\nActual Value:\n The command script with multiple lines returned : \n\n- Audit Results:\n ** Fail **\n - Neither FirewallD or NFTables is installed.",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "febf648efcfe844dadaf8953d279d2b8064fc2e6cf0b0f8cfc5561e7b17de384",
+    "compliance_full_id_s": "0d6d85ea6242503eb6c928f1776377b8bc7ab16a5b6973c59ca43151a6deb935",
+    "compliance_functional_id_s": "9c16d0c9d5",
+    "compliance_informational_id_s": "2bd1d18d5f1e0106aee51c5e3b32b327b0c6f4b0caf6b690369aae6d0d32cb94",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "05bec6c0f570d510001e5c87b4623da338d0bd49257771e4e9611ff159eee707",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "c96995aad2b523552eb8523de7ee05751bcccecb975fb32bfd6e5cc8d7efcaeb",
+    "check_name_s": "4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/shadow",
+    "check_info_s": "Record events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.",
+    "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/shadow: [FAILED]\"\n\nRecord events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/  &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "d61367b397bf263134281345942027fcd798faa4c5d6353b9fe8a10797ae286b",
+    "compliance_full_id_s": "c96995aad2b523552eb8523de7ee05751bcccecb975fb32bfd6e5cc8d7efcaeb",
+    "compliance_functional_id_s": "33541942ba",
+    "compliance_informational_id_s": "0ebdfe8388ad7c316191190c53408a45bb7a19be4b128fbe99e86f6d629f750c",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "10e6d79c56e8ec5e92057290f406b125b9b41be6b980d5e1bfa2e28dfc40f342",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "ee7e02cc5a08bc60d3f7e01addca8260726187e1df8a688c4842010ed5ca2a08",
+    "check_name_s": "1.1.5.4 Ensure nosuid option set on /var/log partition",
+    "check_info_s": "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale:\n\nSince the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.",
+    "expected_value_s": "cmd: /usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'\nexpect: ([\\s]*[,]?nosuid|not mounted)\nsystem: Linux",
+    "actual_value_s": "The command '/usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'' returned : \n\nnot mounted",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.1.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.1.4"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.1.5"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-5"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-6"
+      },
+      {
+        "framework": "800-53",
+        "control": "MP-2"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-5"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-6"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "MP-2"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(g)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.2(d)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.2(f)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.11(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.2(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.6(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.5.3.1"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.5.4.1(a)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "14.6"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "3.3"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.AC-4"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.DS-5"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-2"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(a)(1)"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.6.1.2"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.9.4.1"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.9.4.5"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-5"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "MP-2"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "MP-2a."
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.3.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.3.3"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.4.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T4.2.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.1.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.2.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.4"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.5"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.5.4"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.6.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T7.5.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T7.5.3"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM1"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM3"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM23f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS13c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS29"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "7.1.2"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.1"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "5.1"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.1"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.2"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition.\nExample:\n\n<device> /var/log    <fstype>     defaults,rw,nosuid,nodev,noexec,relatime  0 0\n\nRun the following command to remount /var/log with the configured options:\n\n# mount -o remount /var/log",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "1.1.5.4 Ensure nosuid option set on /var/log partition: [PASSED]\"\n\nThe nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale:\n\nSince the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.\n\nSolution:\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition.\nExample:\n\n<device> /var/log    <fstype>     defaults,rw,nosuid,nodev,noexec,relatime  0 0\n\nRun the following command to remount /var/log with the configured options:\n\n# mount -o remount /var/log\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.1), ComplianceReference(framework=800-171, control=3.1.4), ComplianceReference(framework=800-171, control=3.1.5), ComplianceReference(framework=800-171, control=3.8.1), ComplianceReference(framework=800-171, control=3.8.2), ComplianceReference(framework=800-171, control=3.8.3), ComplianceReference(framework=800-53, control=AC-3), ComplianceReference(framework=800-53, control=AC-5), ComplianceReference(framework=800-53, control=AC-6), ComplianceReference(framework=800-53, control=MP-2), ComplianceReference(framework=800-53r5, control=AC-3), ComplianceReference(framework=800-53r5, control=AC-5), ComplianceReference(framework=800-53r5, control=AC-6), ComplianceReference(framework=800-53r5, control=MP-2), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.2(f)), ComplianceReference(framework=CN-L3, control=8.1.4.11(b)), ComplianceReference(framework=CN-L3, control=8.1.10.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CN-L3, control=8.5.3.1), ComplianceReference(framework=CN-L3, control=8.5.4.1(a)), ComplianceReference(framework=CSCv7, control=14.6), ComplianceReference(framework=CSCv8, control=3.3), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-2), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.6.1.2), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.1), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.5), ComplianceReference(framework=ITSG-33, control=AC-3), ComplianceReference(framework=ITSG-33, control=AC-5), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=MP-2), ComplianceReference(framework=ITSG-33, control=MP-2a.), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T1.3.2), ComplianceReference(framework=NESA, control=T1.3.3), ComplianceReference(framework=NESA, control=T1.4.1), ComplianceReference(framework=NESA, control=T4.2.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.4.1), ComplianceReference(framework=NESA, control=T5.4.4), ComplianceReference(framework=NESA, control=T5.4.5), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T5.6.1), ComplianceReference(framework=NESA, control=T7.5.2), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM3), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS29), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=TBA-FIISB, control=31.1), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\ncmd: /usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'\nexpect: ([\\s]*[,]?nosuid|not mounted)\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'' returned : \n\nnot mounted",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "7b47be8c2509338faaf214983b1dc3af4bdcd6e8181aa9411c6f2ef11acefaef",
+    "compliance_full_id_s": "ee7e02cc5a08bc60d3f7e01addca8260726187e1df8a688c4842010ed5ca2a08",
+    "compliance_functional_id_s": "1cb51bb766",
+    "compliance_informational_id_s": "3e150b740e3f60be1af9f8d12f7c117321f71f162e5018ede5f9e28ada80885a",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "3d1a3e0475a7bdc313e2c7dbb8438642d933dc5cc1766b7b559427e6d28d3313",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "64e12b3bc42982ade33cf0c3db6eecdc30a76cc7b033cf603961ffbaab4796e8",
+    "check_name_s": "4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d",
+    "check_info_s": "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier 'scope'.\n\nRationale:\n\nChanges in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.",
+    "expected_value_s": "cmd: /usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command '/usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/auditctl: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.\nExample:\n\n# printf '\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope\n' >> /etc/audit/rules.d/50-scope.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d: [FAILED]\"\n\nMonitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier 'scope'.\n\nRationale:\n\nChanges in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.\nExample:\n\n# printf '\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope\n' >> /etc/audit/rules.d/50-scope.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/auditctl: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "42fd0b472509848ca0dde47b4c2d3ee620982c2341e8540c860a1c6346977431",
+    "compliance_full_id_s": "64e12b3bc42982ade33cf0c3db6eecdc30a76cc7b033cf603961ffbaab4796e8",
+    "compliance_functional_id_s": "625ad047a6",
+    "compliance_informational_id_s": "fc40df103751d40c7b8f68660e21c48c0912e6b6c4e26b4bd3e0bac261d027b1",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "39f337ddad726f8a36e01537cb89f6809d2cc1fd8ec98eeab2e1fb895e5782cf",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "9ef63551f5f0ff5277942932ff742864d3a7eac24c4a20372c9b0274daec7219",
+    "check_name_s": "1.3.2 Ensure filesystem integrity is regularly checked - cron",
+    "check_info_s": "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.\n\nRationale:\n\nPeriodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.",
+    "expected_value_s": "PASSED",
+    "actual_value_s": "",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.1.7"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-6(9)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-2"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-6(9)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-2"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(g)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.2(d)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.6(a)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "14.9"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "3.14"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.AC-4"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.12.4.3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-2"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NESA",
+        "control": "M1.2.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "M5.5.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.1.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.2.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.5.4"
+      },
+      {
+        "framework": "NESA",
+        "control": "T7.5.3"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM1"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM7"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM23f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS13c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS30"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "VL8"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "7.1.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.1"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "5.1"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.2"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "If cron will be used to schedule and run aide check\nRun the following command:\n\n# crontab -u root -e\n\nAdd the following line to the crontab:\n\n0 5 * * * /usr/sbin/aide --check\n\nOR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:\nCreate or edit the file /etc/systemd/system/aidecheck.service and add the following lines:\n\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n\nCreate or edit the file /etc/systemd/system/aidecheck.timer and add the following lines:\n\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n\nRun the following commands:\n\n# chown root:root /etc/systemd/system/aidecheck.*\n# chmod 0644 /etc/systemd/system/aidecheck.*\n\n# systemctl daemon-reload\n\n# systemctl enable aidecheck.service\n# systemctl --now enable aidecheck.timer",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "1.3.2 Ensure filesystem integrity is regularly checked - cron: [PASSED]\"\n\nPeriodic checking of the filesystem integrity is needed to detect changes to the filesystem.\n\nRationale:\n\nPeriodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.\n\nSolution:\nIf cron will be used to schedule and run aide check\nRun the following command:\n\n# crontab -u root -e\n\nAdd the following line to the crontab:\n\n0 5 * * * /usr/sbin/aide --check\n\nOR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:\nCreate or edit the file /etc/systemd/system/aidecheck.service and add the following lines:\n\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n\nCreate or edit the file /etc/systemd/system/aidecheck.timer and add the following lines:\n\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n\nRun the following commands:\n\n# chown root:root /etc/systemd/system/aidecheck.*\n# chmod 0644 /etc/systemd/system/aidecheck.*\n\n# systemctl daemon-reload\n\n# systemctl enable aidecheck.service\n# systemctl --now enable aidecheck.timer\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.7), ComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-53, control=AC-6(9)), ComplianceReference(framework=800-53, control=AU-2), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AC-6(9)), ComplianceReference(framework=800-53r5, control=AU-2), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.3(a)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CSCv7, control=14.9), ComplianceReference(framework=CSCv8, control=3.14), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ISO/IEC-27001, control=A.12.4.3), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=AU-2), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=M1.2.2), ComplianceReference(framework=NESA, control=M5.5.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM7), ComplianceReference(framework=NIAv2, control=AM11a), ComplianceReference(framework=NIAv2, control=AM11b), ComplianceReference(framework=NIAv2, control=AM11c), ComplianceReference(framework=NIAv2, control=AM11d), ComplianceReference(framework=NIAv2, control=AM11e), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS30), ComplianceReference(framework=NIAv2, control=VL8), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=SWIFT-CSCv1, control=6.4), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\nPASSED",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "488a89faad765166b56ed0a55d372f3f2149617eeb250e6ff8b28723692a5179",
+    "compliance_full_id_s": "9ef63551f5f0ff5277942932ff742864d3a7eac24c4a20372c9b0274daec7219",
+    "compliance_functional_id_s": "374edc0aee",
+    "compliance_informational_id_s": "9096a0cff67447bc4b575451886fbc88a210fd0373f1793f559a68dee603e2b2",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "0da2d9a429830621a90d8224327710fe4e2123ae88860b42b48d285447e9aab6",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "93c6077b23686986392e69868090e482d48b416944f72f1ea76d8c0eaa6d8f34",
+    "check_name_s": "4.1.3.4 Ensure events that modify date and time information are collected - auditctl stime",
+    "check_info_s": "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the;\n\nadjtimex - tune kernel clock\n\nsettimeofday - set time using timeval and timezone structures\n\nstime - using seconds since 1/1/1970\n\nclock_settime - allows for the setting of several internal clocks and timers\n\nsystem calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as 'time-change'.\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.",
+    "expected_value_s": "PASSED",
+    "actual_value_s": "",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n' >> /etc/audit/rules.d/50-time-change.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example:\n\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.4 Ensure events that modify date and time information are collected - auditctl stime: [PASSED]\"\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the;\n\nadjtimex - tune kernel clock\n\nsettimeofday - set time using timeval and timezone structures\n\nstime - using seconds since 1/1/1970\n\nclock_settime - allows for the setting of several internal clocks and timers\n\nsystem calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as 'time-change'.\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n' >> /etc/audit/rules.d/50-time-change.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example:\n\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\nPASSED",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "8849242ba0e1b50820fbc8fe66ca64790fec2c5b7fa5489ac0fc11d4bc5f179e",
+    "compliance_full_id_s": "93c6077b23686986392e69868090e482d48b416944f72f1ea76d8c0eaa6d8f34",
+    "compliance_functional_id_s": "374edc0aee",
+    "compliance_informational_id_s": "69e625ed909d53f6e6881fc18b980ee90a69d2d5eba3166079a368e23804c5b2",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "719a30e2486af08b12b596d9c7d028e2e9d2f19051e61e0671efbed18f283550",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "adb4e5f150c2200323abcd3df361136a1e6e48a974a73ed79e2e03d5a8e0729b",
+    "check_name_s": "4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EPERM",
+    "check_info_s": "Monitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files:\n\ncreation - creat\n\nopening - open , openat\n\ntruncation - truncate , ftruncate\n\nAn audit log record will only be written if all of the following criteria is met for the user when trying to access a file:\n\na non-privileged user (auid>=UID_MIN)\n\nis not a Daemon event (auid=4294967295/unset/-1)\n\nif the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.",
+    "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "14.9"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n' >> /etc/audit/rules.d/50-access.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EPERM: [FAILED]\"\n\nMonitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files:\n\ncreation - creat\n\nopening - open , openat\n\ntruncation - truncate , ftruncate\n\nAn audit log record will only be written if all of the following criteria is met for the user when trying to access a file:\n\na non-privileged user (auid>=UID_MIN)\n\nis not a Daemon event (auid=4294967295/unset/-1)\n\nif the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n' >> /etc/audit/rules.d/50-access.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=14.9), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "05ab0742844e8a5dd5c67c3856f19b6f73d648a6ce878e346ec4f086fa760f35",
+    "compliance_full_id_s": "adb4e5f150c2200323abcd3df361136a1e6e48a974a73ed79e2e03d5a8e0729b",
+    "compliance_functional_id_s": "cc0d904652",
+    "compliance_informational_id_s": "651163f64225b456b7522d87eb316a93c44ec1b30d9d0b68f04fefe6b06f0c70",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "3f4148c46504b71acc104a6852ce904dc27bfc3f9f1ba60fdfa96b6a6d3612cd",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:12 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "38cddbb9fb71c45b36936134700b6be3d1137904b9358311d996a57c44ad25ae",
+    "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 fchmodat",
+    "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.",
+    "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 fchmodat: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821",
+    "compliance_full_id_s": "38cddbb9fb71c45b36936134700b6be3d1137904b9358311d996a57c44ad25ae",
+    "compliance_functional_id_s": "55e120b210",
+    "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "97445f25f1c84207f53821767d304663ab918e6be2eb318421e652bd98c50046",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "4afbe7720967dd60debd35feb0e4eef4e91de7da4a0fa96e8c34e4467a0dace0",
+    "check_name_s": "6.1.10 Ensure no unowned files or directories exist",
+    "check_info_s": "Sometimes when administrators delete users from the password file, they neglect to remove all files owned by those users from the system.\n\nRationale:\n\nA new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended.",
+    "expected_value_s": "find_option: nouser\nname: find_orphan_files\nsystem: Linux\ntimeout: 7200",
+    "actual_value_s": "No issues found.",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.1.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.1.4"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.1.5"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.8.3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-5"
+      },
+      {
+        "framework": "800-53",
+        "control": "AC-6"
+      },
+      {
+        "framework": "800-53",
+        "control": "MP-2"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-5"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AC-6"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "MP-2"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.2(g)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.2(d)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.2(f)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.11(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.2(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.10.6(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.5.3.1"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.5.4.1(a)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "13.2"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "3.3"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.AC-4"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.DS-5"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-2"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(a)(1)"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.6.1.2"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.9.4.1"
+      },
+      {
+        "framework": "ISO/IEC-27001",
+        "control": "A.9.4.5"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-5"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AC-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "MP-2"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "MP-2a."
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.3.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.3.3"
+      },
+      {
+        "framework": "NESA",
+        "control": "T1.4.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T4.2.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.1.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.2.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.4"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.4.5"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.5.4"
+      },
+      {
+        "framework": "NESA",
+        "control": "T5.6.1"
+      },
+      {
+        "framework": "NESA",
+        "control": "T7.5.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "T7.5.3"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM1"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM3"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM23f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS13c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS29"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "7.1.2"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.1"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "7.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "5.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "5.1"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.1"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.2"
+      },
+      {
+        "framework": "TBA-FIISB",
+        "control": "31.4.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nAC-3\n\nMP-2",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "6.1.10 Ensure no unowned files or directories exist: [PASSED]\"\n\nSometimes when administrators delete users from the password file, they neglect to remove all files owned by those users from the system.\n\nRationale:\n\nA new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended.\n\nSolution:\nLocate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nAC-3\n\nMP-2\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.1), ComplianceReference(framework=800-171, control=3.1.4), ComplianceReference(framework=800-171, control=3.1.5), ComplianceReference(framework=800-171, control=3.8.1), ComplianceReference(framework=800-171, control=3.8.2), ComplianceReference(framework=800-171, control=3.8.3), ComplianceReference(framework=800-53, control=AC-3), ComplianceReference(framework=800-53, control=AC-5), ComplianceReference(framework=800-53, control=AC-6), ComplianceReference(framework=800-53, control=MP-2), ComplianceReference(framework=800-53r5, control=AC-3), ComplianceReference(framework=800-53r5, control=AC-5), ComplianceReference(framework=800-53r5, control=AC-6), ComplianceReference(framework=800-53r5, control=MP-2), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.2(f)), ComplianceReference(framework=CN-L3, control=8.1.4.11(b)), ComplianceReference(framework=CN-L3, control=8.1.10.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CN-L3, control=8.5.3.1), ComplianceReference(framework=CN-L3, control=8.5.4.1(a)), ComplianceReference(framework=CSCv7, control=13.2), ComplianceReference(framework=CSCv8, control=3.3), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-2), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.6.1.2), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.1), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.5), ComplianceReference(framework=ITSG-33, control=AC-3), ComplianceReference(framework=ITSG-33, control=AC-5), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=MP-2), ComplianceReference(framework=ITSG-33, control=MP-2a.), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T1.3.2), ComplianceReference(framework=NESA, control=T1.3.3), ComplianceReference(framework=NESA, control=T1.4.1), ComplianceReference(framework=NESA, control=T4.2.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.4.1), ComplianceReference(framework=NESA, control=T5.4.4), ComplianceReference(framework=NESA, control=T5.4.5), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T5.6.1), ComplianceReference(framework=NESA, control=T7.5.2), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM3), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS29), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=TBA-FIISB, control=31.1), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\nfind_option: nouser\nname: find_orphan_files\nsystem: Linux\ntimeout: 7200\n\nActual Value:\n No issues found.",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "c1ebc86879aece17e2c9aacd2c9867ab8e6912cea44b60ea658e94f83973b6d5",
+    "compliance_full_id_s": "4afbe7720967dd60debd35feb0e4eef4e91de7da4a0fa96e8c34e4467a0dace0",
+    "compliance_functional_id_s": "32bc4eabac",
+    "compliance_informational_id_s": "d44b06c8d59b8c3147b606a96ae721500314a4c551fe1d5d69b450510febecb5",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "3dc39890e6a852a58e3abc3175d72f50eb7342f0a560c083e53d2b9ceebd62bc",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "a87cbed4210eecf2d468be5a0255922a2e3871df7a82ca7faa988ff224ea197c",
+    "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chmod",
+    "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.",
+    "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chmod: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821",
+    "compliance_full_id_s": "a87cbed4210eecf2d468be5a0255922a2e3871df7a82ca7faa988ff224ea197c",
+    "compliance_functional_id_s": "f49eb64418",
+    "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "92c55495acfd968a7fab5040d7962b0040fe5e4b034964b19ba519f8e0bdb855",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit",
+    "check_id_s": "b4e31100ce9201c99ddb73ce469f21c2a88743219e266d2206fc38e99d3fee2c",
+    "check_name_s": "2.2.7 Ensure TFTP Server is not installed",
+    "check_info_s": "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.\n\nRationale:\n\nUnless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface.\n\nTFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files\n\nImpact:\n\nTFTP is often used to provide files for network booting such as for PXE based installation of servers.",
+    "expected_value_s": "operator: lte\nrpm: tftp-server-0.0.0-0\nsystem: Linux",
+    "actual_value_s": "The package 'tftp-server-0.0.0-0' is not installed",
+    "status_s": "PASSED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.4.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.6"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.4.7"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53",
+        "control": "CM-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-6"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "CM-7"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "9.2"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "4.8"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.IP-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-6"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "CM-7"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "1A"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS15a"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "2.2.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "2.3"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Run the following command to remove tftp-server:\n\n# dnf remove tftp-server\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "2.2.7 Ensure TFTP Server is not installed: [PASSED]\"\n\nTrivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.\n\nRationale:\n\nUnless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface.\n\nTFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files\n\nImpact:\n\nTFTP is often used to provide files for network booting such as for PXE based installation of servers.\n\nSolution:\nRun the following command to remove tftp-server:\n\n# dnf remove tftp-server\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\noperator: lte\nrpm: tftp-server-0.0.0-0\nsystem: Linux\n\nActual Value:\n The package 'tftp-server-0.0.0-0' is not installed",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "35a2c0121f3938a3ac63113a3ab7ee7b0003c80fdc1ce93face3540cd1ef52b7",
+    "compliance_full_id_s": "b4e31100ce9201c99ddb73ce469f21c2a88743219e266d2206fc38e99d3fee2c",
+    "compliance_functional_id_s": "0e708ddcee",
+    "compliance_informational_id_s": "f6fdc376a9aa47dc1b142bb100afb263c8883654d581f411bc5a55c1320647e2",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "444626bcfa5ab25a46b7f17f0b976b6f26678c6dfe3f967f1d67b258db13045e",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "9f36e15fb46e36d1b9d873349f6c60bb256b5682576d6b00454e3722feff74ed",
+    "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname",
+    "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.",
+    "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb",
+    "compliance_full_id_s": "9f36e15fb46e36d1b9d873349f6c60bb256b5682576d6b00454e3722feff74ed",
+    "compliance_functional_id_s": "185a8d6bfd",
+    "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "499fac5cf56471d7df4699c72eb8da1ce9565a8717881ac8b16bb378012cf93a",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "d914818afd1deed40e6125f90b3bf16b1f6d626608f222b63fbb8bf906ec0323",
+    "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 setdomainname",
+    "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.",
+    "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 setdomainname: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb",
+    "compliance_full_id_s": "d914818afd1deed40e6125f90b3bf16b1f6d626608f222b63fbb8bf906ec0323",
+    "compliance_functional_id_s": "8a9f15d206",
+    "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "a45648ae2c2dc7956be17092dd049978b059e5c0d93c198cde482a11a2ffbac3",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:12 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "e32e32f47a6d99ba538a2f3b15eb10cafee844dd2c27595fce4c6dbbeca6b9f3",
+    "check_name_s": "4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled",
+    "check_info_s": "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.",
+    "expected_value_s": "cmd: /usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command '/usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/grubby: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-2"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-2"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(a)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "6.2"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.2"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-2"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "M1.2.2"
+      },
+      {
+        "framework": "NESA",
+        "control": "M5.5.1"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM7"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM11e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "SS30"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "VL8"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Run the following command to update the grub2 configuration with audit=1:\n\n# grubby --update-kernel ALL --args 'audit=1'\n\nAdditional Information:\n\nThis recommendation is designed around the grub2 bootloader, if another bootloader is in use in your environment enact equivalent settings.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled: [FAILED]\"\n\nConfigure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nRun the following command to update the grub2 configuration with audit=1:\n\n# grubby --update-kernel ALL --args 'audit=1'\n\nAdditional Information:\n\nThis recommendation is designed around the grub2 bootloader, if another bootloader is in use in your environment enact equivalent settings.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-2), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-2), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=8.1.4.3(a)), ComplianceReference(framework=CSCv7, control=6.2), ComplianceReference(framework=CSCv8, control=8.2), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-2), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=M1.2.2), ComplianceReference(framework=NESA, control=M5.5.1), ComplianceReference(framework=NIAv2, control=AM7), ComplianceReference(framework=NIAv2, control=AM11a), ComplianceReference(framework=NIAv2, control=AM11b), ComplianceReference(framework=NIAv2, control=AM11c), ComplianceReference(framework=NIAv2, control=AM11d), ComplianceReference(framework=NIAv2, control=AM11e), ComplianceReference(framework=NIAv2, control=SS30), ComplianceReference(framework=NIAv2, control=VL8), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/grubby: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "1de91f94bc9b0b8564058b0c0706d6e2eca4ca99678f6f4a4b60ddf5bf0ca024",
+    "compliance_full_id_s": "e32e32f47a6d99ba538a2f3b15eb10cafee844dd2c27595fce4c6dbbeca6b9f3",
+    "compliance_functional_id_s": "7624c51610",
+    "compliance_informational_id_s": "965a708e71b616eb4fa05e1142d058c9c2c48ae85c26aa78a836ebf259e45986",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "6924bd59f0536d98cd1445e345bd6a43fdd80f078b25cac4c356469263b0ab66",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  },
+  {
+    "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM",
+    "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit",
+    "check_id_s": "ab902bd88b00350f4257a421fb43f1726b28b4a7a7e0415d0fd27f5e90760327",
+    "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue",
+    "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.",
+    "expected_value_s": "cmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux",
+    "actual_value_s": "The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "status_s": "FAILED",
+    "reference_s": [
+      {
+        "framework": "800-171",
+        "control": "3.3.1"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.2"
+      },
+      {
+        "framework": "800-171",
+        "control": "3.3.6"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53",
+        "control": "AU-12"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-7"
+      },
+      {
+        "framework": "800-53r5",
+        "control": "AU-12"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.2.3(c)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(a)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "7.1.3.3(b)"
+      },
+      {
+        "framework": "CN-L3",
+        "control": "8.1.4.3(b)"
+      },
+      {
+        "framework": "CSCv7",
+        "control": "5.5"
+      },
+      {
+        "framework": "CSCv8",
+        "control": "8.5"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-3"
+      },
+      {
+        "framework": "CSF",
+        "control": "DE.CM-7"
+      },
+      {
+        "framework": "CSF",
+        "control": "PR.PT-1"
+      },
+      {
+        "framework": "CSF",
+        "control": "RS.AN-3"
+      },
+      {
+        "framework": "GDPR",
+        "control": "32.1.b"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.306(a)(1)"
+      },
+      {
+        "framework": "HIPAA",
+        "control": "164.312(b)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-3(1)"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-7"
+      },
+      {
+        "framework": "ITSG-33",
+        "control": "AU-12"
+      },
+      {
+        "framework": "LEVEL",
+        "control": "2A"
+      },
+      {
+        "framework": "NESA",
+        "control": "T3.6.2"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34a"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34b"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34c"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34d"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34e"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34f"
+      },
+      {
+        "framework": "NIAv2",
+        "control": "AM34g"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.1"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.2"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.3"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.4"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.5"
+      },
+      {
+        "framework": "PCI-DSSv3.2.1",
+        "control": "10.3.6"
+      },
+      {
+        "framework": "PCI-DSSv4.0",
+        "control": "10.2.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "3.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "6.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "8.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "10.2.1"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "11.2"
+      },
+      {
+        "framework": "QCSC-v1",
+        "control": "13.2"
+      },
+      {
+        "framework": "SWIFT-CSCv1",
+        "control": "6.4"
+      }
+    ],
+    "see_also_s": "https://workbench.cisecurity.org/files/4239",
+    "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.",
+    "plugin_id_d": 21157,
+    "state_s": "NEW",
+    "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail",
+    "compliance_benchmark_name_s": "CIS Oracle Linux 9",
+    "compliance_benchmark_version_s": "1.0.0",
+    "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb",
+    "compliance_full_id_s": "ab902bd88b00350f4257a421fb43f1726b28b4a7a7e0415d0fd27f5e90760327",
+    "compliance_functional_id_s": "98f1326b05",
+    "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b",
+    "synopsis_s": "Compliance checks for Unix systems",
+    "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM",
+    "metadata_id_s": "f45a0261af18cea213e43f4422c7af65a52caf61e12c0084aa19a4924564011f",
+    "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux",
+    "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM",
+    "plugin_name_s": "Unix Compliance Checks",
+    "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008",
+    "asset_ipv4_addresses_s": [
+      "1.1.1.1"
+    ],
+    "asset_ipv6_addresses_s": [],
+    "asset_fqdns_s": [],
+    "asset_name_s": "1.1.1.1",
+    "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222",
+    "asset_tags_s": [],
+    "asset_mac_addresses_s": [
+      "00:16:3e:a4:e5:80"
+    ],
+    "asset_operating_systems_s": [
+      "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4"
+    ],
+    "asset_system_type_s": "general-purpose",
+    "asset_network_id_g": "00000000-0000-0000-0000-000000000000",
+    "asset_agent_name_s": ""
+  }
+]
\ No newline at end of file
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py
index b12deb66a85..5e90b419b58 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py	
@@ -5,6 +5,7 @@
 import azure.functions as func
 import json
 from .sentinel import AzureSentinel
+from .exports_store import ExportsTableStore
 from Exceptions.ArmisExceptions import ArmisException, ArmisDataNotFoundException
 from .utils import Utils
 from . import consts
@@ -38,16 +39,10 @@ def get_alert_data(self, parameter):
                 headers=self.header,
                 retry_401=consts.RETRY_COUNT_401,
             )
-            if results["data"]["count"] == 0:
+            if ("data" in results) and ("count" in results["data"]) and (results["data"].get("count") == 0):
                 raise ArmisDataNotFoundException(consts.LOG_FORMAT.format(__method_name, "Alert Data not found."))
 
-            if (
-                "data" in results
-                and "results" in results["data"]
-                and "total" in results["data"]
-                and "count" in results["data"]
-                and "next" in results["data"]
-            ):
+            if (("results" in results["data"]) and ("total" in results["data"]) and ("next" in results["data"])):
                 count_per_frame_data = results["data"]["count"]
                 data = results["data"]["results"]
                 for i in data:
@@ -105,16 +100,10 @@ def get_activity_data(self, activity_uuids):
                 headers=self.header,
                 retry_401=consts.RETRY_COUNT_401,
             )
-            if results["data"]["count"] == 0:
+            if ("data" in results) and ("count" in results["data"]) and (results["data"].get("count") == 0):
                 logging.warning(consts.LOG_FORMAT.format(__method_name, "Activity Data not found."))
                 return []
-            if (
-                "data" in results
-                and "results" in results["data"]
-                and "total" in results["data"]
-                and "count" in results["data"]
-                and "next" in results["data"]
-            ):
+            if (("results" in results["data"]) and ("total" in results["data"]) and ("next" in results["data"])):
                 data = results["data"]["results"]
                 for i in data:
                     i["armis_activity_time"] = i["time"]
@@ -134,7 +123,9 @@ def get_activity_data(self, activity_uuids):
             logging.error(consts.LOG_FORMAT.format(__method_name, "Error while fetching Activity : {}.".format(err)))
             raise ArmisException()
 
-    def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list):
+    def post_alert_activity_data(
+        self, alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object: ExportsTableStore
+    ):
         """Post alert and activity data to respective table in sentinel.
 
         Args:
@@ -165,7 +156,14 @@ def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list):
                         __method_name, "Posted Alerts count : {}.".format(len(alerts_data_to_post))
                     )
                 )
-                self.post_alert_checkpoint(alerts_data_to_post[-1])
+                offset_to_post += len(alerts_data_to_post)
+                logging.info(
+                    consts.LOG_FORMAT.format(__method_name, "Saving offset '{}' in checkpoint".format(offset_to_post))
+                )
+                checkpoint_table_object.merge(
+                    "armisalertactivity", "alertactivitycheckpoint", {"offset": offset_to_post}
+                )
+            return offset_to_post
         except ArmisException:
             raise ArmisException()
         except Exception as err:
@@ -176,7 +174,7 @@ def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list):
             )
             raise ArmisException()
 
-    def process_alerts_data(self, alerts):
+    def process_alerts_data(self, alerts, offset_to_post, checkpoint_table_object: ExportsTableStore):
         """Process alerts data to fetch related activity.
 
         Args:
@@ -192,13 +190,19 @@ def process_alerts_data(self, alerts):
                     activity_uuid_list.extend(activity_uuids)
                     alerts_data_to_post.append(alert)
                 else:
-                    self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list)
+                    offset_to_post = self.post_alert_activity_data(
+                        alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object
+                    )
                     alerts_data_to_post = []
                     activity_uuid_list = []
                     if len(activity_uuids) < consts.CHUNK_SIZE:
                         activity_uuid_list.extend(activity_uuids)
                         alerts_data_to_post.append(alert)
                     else:
+                        logging.info(
+                        consts.LOG_FORMAT.format(
+                            __method_name, "Chunk size is greater than {}.".format(consts.CHUNK_SIZE))
+                        )
                         for index in range(0, len(activity_uuids), consts.CHUNK_SIZE):
                             chunk_of_activity_uuids = activity_uuids[index: index + consts.CHUNK_SIZE]
                             activity_data = self.get_activity_data(chunk_of_activity_uuids)
@@ -216,10 +220,20 @@ def process_alerts_data(self, alerts):
                         self.azuresentinel.post_data(
                             json.dumps([alert], indent=2), consts.ARMIS_ALERTS_TABLE, "armis_alert_time"
                         )
-                        self.total_alerts_posted += 1
                         logging.info(consts.LOG_FORMAT.format(__method_name, "Posted Alerts count : 1."))
-                        self.post_alert_checkpoint(alert)
-            self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list)
+                        self.total_alerts_posted += 1
+                        offset_to_post += 1
+                        logging.info(
+                            consts.LOG_FORMAT.format(
+                                __method_name, "Saving offset '{}' in checkpoint".format(offset_to_post)
+                            )
+                        )
+                        checkpoint_table_object.merge(
+                            "armisalertactivity", "alertactivitycheckpoint", {"offset": offset_to_post}
+                        )
+            self.post_alert_activity_data(
+                alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object
+            )
         except ArmisException:
             raise ArmisException()
 
@@ -231,60 +245,50 @@ def process_alerts_data(self, alerts):
             )
             raise ArmisException()
 
-    def fetch_alert_data(self, type_data, is_checkpoint_not_exist, last_time=None):
+    def fetch_alert_data(
+        self, alert_parameter, is_checkpoint_not_exist, checkpoint_table_object: ExportsTableStore, last_time=None
+    ):
         """Fetch_alert_data is used to push all the data into table.
 
         Args:
-            type_data (json): will contain the json data to use in parameters.
+            alert_parameter (json): will contain the json data to use in parameters.
             is_checkpoint_not_exist (bool): it is a flag that contains the value if checkpoint exists or not.
             last_time (String): it will contain checkpoint time stamp.
         """
         __method_name = inspect.currentframe().f_code.co_name
         try:
             if is_checkpoint_not_exist:
-                aql_data = """{}""".format(type_data["aql"])
+                aql_data = "in:alerts"
             else:
-                aql_data = """{} after:{}""".format(type_data["aql"], last_time)
-            type_data["aql"] = aql_data
+                aql_data = """{} after:{}""".format("in:alerts", last_time)
+            alert_parameter["aql"] = aql_data
+            alert_parameter["length"] = 1000
             while self.data_alert_from is not None:
-                parameter_alert = {
-                    "aql": type_data["aql"],
-                    "from": self.data_alert_from,
-                    "orderBy": "time",
-                    "length": 1000,
-                    "fields": type_data["fields"],
-                }
-                logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching alerts data."))
+                alert_parameter.update({"from": self.data_alert_from})
+                offset_to_post = self.data_alert_from
+                logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching alerts data with parameters = {}.".format(alert_parameter)))
                 (
                     data,
                     alert_time,
                     count_per_frame_data,
-                ) = self.get_alert_data(parameter_alert)
-                self.process_alerts_data(data)
+                ) = self.get_alert_data(alert_parameter)
+                self.process_alerts_data(data, offset_to_post, checkpoint_table_object)
                 logging.info(
                     consts.LOG_FORMAT.format(
                         __method_name,
                         "Collected {} alert data from alerts api.".format(count_per_frame_data),
                     )
                 )
-
-            if str(consts.IS_AVOID_DUPLICATES).lower() == "true":
-                alert_time = datetime.datetime.strptime(alert_time, "%Y-%m-%dT%H:%M:%S")
-                alert_time += datetime.timedelta(seconds=1)
-                alert_time = alert_time.strftime("%Y-%m-%dT%H:%M:%S")
-                logging.info(
-                    consts.LOG_FORMAT.format(
-                        __method_name, "Last timestamp with plus one second that is added : {}".format(alert_time)
-                    )
-                )
-                self.state_manager_obj.post(str(alert_time))
-                logging.info(
-                    consts.LOG_FORMAT.format(
-                        __method_name,
-                        "" + "Last timestamp is added with plus one second into the StateManager successfully.",
-                    )
-                )
-
+            alert_time = datetime.datetime.strptime(alert_time, "%Y-%m-%dT%H:%M:%S")
+            alert_time += datetime.timedelta(seconds=1)
+            alert_time = alert_time.strftime("%Y-%m-%dT%H:%M:%S")
+            logging.info(consts.LOG_FORMAT.format(__method_name, "Saving offset '0' in checkpoint"))
+            logging.info(
+                consts.LOG_FORMAT.format(__method_name, "Adding last timestamp in checkpoint: {}".format(alert_time))
+            )
+            checkpoint_table_object.merge(
+                "armisalertactivity", "alertactivitycheckpoint", {"time": alert_time, "offset": 0}
+            )
         except ArmisException:
             raise ArmisException()
 
@@ -300,31 +304,64 @@ def check_data_exists_or_not_alert(self):
         __method_name = inspect.currentframe().f_code.co_name
         try:
             parameter_alert = {
-                "aql": "in:alerts",
                 "orderBy": "time",
                 "fields": ",".join(consts.ALERT_FIELDS),
             }
             last_time_alerts = self.state_manager_obj.get()
-            if last_time_alerts is None:
+            checkpoint_table = ExportsTableStore(
+                connection_string=consts.CONNECTION_STRING, table_name=consts.CHECKPOINT_TABLE_NAME
+            )
+
+            if last_time_alerts is not None:
                 logging.info(
-                    consts.LOG_FORMAT.format(__method_name, "The checkpoint timestamp is not available for the alerts!")
+                    consts.LOG_FORMAT.format(
+                        __method_name, "The checkpoint file is available for alerts. time: {}.".format(last_time_alerts)
+                    )
+                )
+                checkpoint_table.create()
+                checkpoint_table.merge(
+                    "armisalertactivity", "alertactivitycheckpoint", {"time": last_time_alerts, "offset": 0}
                 )
+                self.state_manager_obj.delete()
+                logging.info(consts.LOG_FORMAT.format(__method_name, "checkpoint file deleted from fileshare."))
                 self.fetch_alert_data(
                     parameter_alert,
-                    True,
+                    False,
+                    checkpoint_table,
                     last_time_alerts,
                 )
+                return
+            record = checkpoint_table.get("armisalertactivity", "alertactivitycheckpoint")
+            fetch_data_from_scratch = False
+            if not record:
+                checkpoint_table.create()
+                checkpoint_table.post("armisalertactivity", "alertactivitycheckpoint", {"offset": 0})
+                fetch_data_from_scratch = True
             else:
+                logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching Entity from checkpoint table"))
+                last_time_alerts = record.get("time")
+                self.data_alert_from = record.get("offset") if record.get("offset") else 0
                 logging.info(
                     consts.LOG_FORMAT.format(
-                        __method_name, "The checkpoint is available for alerts: {}.".format(last_time_alerts)
+                        __method_name,
+                        "Checkpoint table: Last timestamp: {}, Offset: {}".format(
+                            last_time_alerts, self.data_alert_from
+                        ),
                     )
                 )
-                self.fetch_alert_data(
-                    parameter_alert,
-                    False,
-                    last_time_alerts,
-                )
+                if last_time_alerts is None:
+                    logging.info(
+                        consts.LOG_FORMAT.format(
+                            __method_name, "time value not available in checkpoint table. Setting time as None."
+                        )
+                    )
+                    fetch_data_from_scratch = True
+            self.fetch_alert_data(
+                parameter_alert,
+                fetch_data_from_scratch,
+                checkpoint_table,
+                last_time_alerts,
+            )
             logging.info(
                 consts.LOG_FORMAT.format(
                     __method_name,
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py
index 11ef7d4f818..d1422b6d712 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py	
@@ -25,11 +25,12 @@
 CONNECTION_STRING = os.environ.get("AzureWebJobsStorage", "")
 ARMIS_ALERTS_TABLE = os.environ.get("ArmisAlertsTableName", "")
 ARMIS_ACTIVITIES_TABLE = os.environ.get("ArmisActivitiesTableName", "")
-IS_AVOID_DUPLICATES = os.environ.get("AvoidDuplicates", "")
 WORKSPACE_ID = os.environ.get("WorkspaceID", "")
 WORKSPACE_KEY = os.environ.get("WorkspaceKey", "")
 CHUNK_SIZE = 35
 FILE_SHARE = "funcstatemarkershare"
-CHECKPOINT_FILE = "funcarmisalertsfile"
+CHECKPOINT_FILE_TIME = "funcarmisalertsfile"
+CHECKPOINT_FILE_OFFSET = "armisalertoffset"
 LOG_FORMAT = "Armis Alerts Activities Connector: (method = {}) : {}"
 REQUEST_TIMEOUT = 300
+CHECKPOINT_TABLE_NAME = "ArmisAlertActivityCheckpoint"
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py
new file mode 100644
index 00000000000..a560b5baea0
--- /dev/null
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py	
@@ -0,0 +1,87 @@
+import logging
+
+from azure.data.tables import TableClient, UpdateMode
+from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError, HttpResponseError
+
+
+class ExportsTableStore:
+
+    def __init__(self, connection_string, table_name):
+        self.connection_string = connection_string
+        self.table_name = table_name
+
+    def create(self):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            try:
+                table_client.create_table()
+                logging.info("Checkpoint Table created")
+            except ResourceExistsError:
+                logging.warning("Checkpoint Table already exists")
+
+    def post(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            try:
+                table_client.create_entity(entity_template)
+            except Exception as e:
+                logging.warning("could not post entity to table")
+                logging.warning(e)
+                raise e
+
+    def get(self, pk: str, rk: str):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            try:
+                logging.info("looking for {} - {} on table {}".format(pk, rk, self.table_name))
+                return table_client.get_entity(pk, rk)
+            except ResourceNotFoundError:
+                return None
+
+    def upsert(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name))
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            return table_client.upsert_entity(mode=UpdateMode.REPLACE, entity=entity_template)
+
+    def update_if_found(self, pk: str, rk: str, data: dict = None):
+        if self.get(pk, rk) is not None:
+            self.merge(pk, rk, data)
+
+    def query_by_partition_key(self, pk):
+        table_client = TableClient.from_connection_string(
+            self.connection_string, self.table_name)
+        parameters = {u"key": pk}
+        name_filter = u"PartitionKey eq @key"
+        try:
+            return table_client.query_entities(name_filter, parameters=parameters)
+        except HttpResponseError as e:
+            print(e.message)
+            return []
+
+    def batch(self, operations):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            return table_client.submit_transaction(operations=operations)
+
+    def list_all(self):
+        table_client = TableClient.from_connection_string(self.connection_string, self.table_name)
+        return table_client.list_entities()
+
+    def merge(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name))
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            return table_client.upsert_entity(mode=UpdateMode.MERGE, entity=entity_template)
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py
index 624a40b0665..111d99a58a2 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py	
@@ -1,4 +1,5 @@
 """This module will help to save file to statemanager."""
+
 from azure.storage.fileshare import ShareClient
 from azure.storage.fileshare import ShareFileClient
 from azure.core.exceptions import ResourceNotFoundError
@@ -36,3 +37,13 @@ def get(self):
             return self.file_cli.download_file().readall().decode()
         except ResourceNotFoundError:
             return None
+
+    def delete(self):
+        """Delete method for deleting the data from Azure Storage.
+
+        This method will delete the file from Azure Storage.
+        """
+        try:
+            self.file_cli.delete_file()
+        except ResourceNotFoundError:
+            raise ResourceNotFoundError("File not found to be deleted.")
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py
index ba868876765..b4f7aedfc3a 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py	
@@ -22,7 +22,6 @@ def __init__(self) -> None:
                 {"WorkspaceKey": consts.WORKSPACE_KEY},
                 {"ArmisSecretKey": consts.API_KEY},
                 {"AzureWebJobsStorage": consts.CONNECTION_STRING},
-                {"AvoidDuplicates": consts.IS_AVOID_DUPLICATES},
                 {"ArmisAlertsTableName": consts.ARMIS_ALERTS_TABLE},
                 {"ArmisActivitiesTableName": consts.ARMIS_ACTIVITIES_TABLE},
             ]
@@ -30,7 +29,7 @@ def __init__(self) -> None:
         self._secret_key = consts.API_KEY
         self.get_access_token()
         self.state_manager_obj = StateManager(
-            connection_string=consts.CONNECTION_STRING, file_path=consts.CHECKPOINT_FILE
+            connection_string=consts.CONNECTION_STRING, file_path=consts.CHECKPOINT_FILE_TIME
         )
 
     def check_environment_var_exist(self, environment_var):
@@ -78,10 +77,10 @@ def make_rest_call(self, method, url, params=None, headers=None, data=None, retr
         """
         __method_name = inspect.currentframe().f_code.co_name
         try:
-            response = requests.request(
-                method, url, headers=headers, params=params, data=data, timeout=consts.REQUEST_TIMEOUT
-            )
             for _ in range(retry_401 + 1):
+                response = requests.request(
+                    method, url, headers=self.header, params=params, data=data, timeout=consts.REQUEST_TIMEOUT
+                )
                 if response.status_code == 200:
                     response_json = response.json()
                     logging.info(
@@ -222,32 +221,6 @@ def get_formatted_time(self, alert_time):
             )
             raise ArmisException()
 
-    def post_alert_checkpoint(self, alert):
-        """Post alert checkpoint.
-
-        Args:
-            alert (dict): last alert from data
-        """
-        __method_name = inspect.currentframe().f_code.co_name
-        try:
-            alert_time = self.get_formatted_time(alert["time"][:19])
-            self.state_manager_obj.post(str(alert_time))
-            logging.info(
-                consts.LOG_FORMAT.format(__method_name, "Alerts checkpoint updated : {}.".format(str(alert_time)))
-            )
-        except KeyError as err:
-            logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err)))
-            raise ArmisException()
-
-        except ArmisException:
-            raise ArmisException()
-
-        except Exception as err:
-            logging.error(
-                consts.LOG_FORMAT.format(__method_name, "Error while posting alerts checkpoint : {}.".format(err))
-            )
-            raise ArmisException()
-
     def get_access_token(self):
         """get_access_token method will fetch the access token using api and set it in header for further use."""
         __method_name = inspect.currentframe().f_code.co_name
@@ -255,7 +228,7 @@ def get_access_token(self):
             body = {"secret_key": self._secret_key}
             logging.info(consts.LOG_FORMAT.format(__method_name, "Getting access token."))
             response = self.make_rest_call(method="POST", url=consts.URL + consts.ACCESS_TOKEN_SUFFIX, data=body)
-            access_token = response["data"]["access_token"]
+            access_token = response.get("data", {}).get("access_token")
             self.header.update({"Authorization": access_token})
             logging.info(consts.LOG_FORMAT.format(__method_name, "Generated access token Successfully."))
         except KeyError as err:
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip
index f7219c0f5be..0c15733685a 100644
Binary files a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip and b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip differ
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json
index 5b927cf63a3..7a3f4cf8b4d 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json	
@@ -10,35 +10,50 @@
         },
         "WorkspaceID": {
             "type": "string",
-            "defaultValue": "<workspaceID>"
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter Workspace ID of Log Analytics Workspace"
+            }
         },
         "WorkspaceKey": {
             "type": "securestring",
-            "defaultValue": "<workspaceKey>"
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter Primary Key of Log Analytics Workspace"
+            }
         },
         "ArmisSecretKey": {
             "type": "securestring",
-            "defaultValue": "<ArmisSecretKey>"
+            "metadata": {
+                "description": "Enter Armis Secret Key for Authentication"
+            }
         },
-        "ArmisURL":{
+        "ArmisBaseURL":{
             "type": "string",
-            "defaultValue": "<ArmisURL>"
+            "metadata": {
+                "description": "Enter Base URL starting with \"https://\" followed by hostname(Example: https://[armis-instance].armis.com/api/v1)"
+            }
         },
         "ArmisAlertsTableName":{
             "type": "string",
-            "defaultValue": "Armis_Alerts_CL"
+            "defaultValue": "Armis_Alerts_CL",
+            "metadata": {
+                "description": "Enter name of the table used to store Armis Alerts logs. Default is 'Armis_Alerts_CL'"
+            }
         },
         "ArmisActivitiesTableName":{
             "type": "string",
-            "defaultValue": "Armis_Activities_CL"
+            "defaultValue": "Armis_Activities_CL",
+            "metadata": {
+                "description": "Enter name of the table used to store Armis Activities logs. Default is 'Armis_Activities_CL'"
+            }
         },
         "ArmisSchedule":{
             "type": "string",
-            "defaultValue": "<Cron Expression>"
-        },
-        "AvoidDuplicates":{
-            "type": "bool",
-            "defaultValue": true
+            "defaultValue": "0 */15 * * * *",
+            "metadata": {
+                "description": "Enter a valid Quartz Cron-Expression (Example: 0 0 0 * * *)"
+            }
         },
         "AppInsightsWorkspaceResourceID": {
             "type": "string",
@@ -95,7 +110,8 @@
                         }
                     },
                     "keySource": "Microsoft.Storage"
-                }
+                },
+                "minimumTlsVersion": "TLS1_2"
             }
         },
         {
@@ -176,11 +192,10 @@
                         "WorkspaceID": "[parameters('WorkspaceID')]",
                         "WorkspaceKey": "[parameters('WorkspaceKey')]",
                         "ArmisSecretKey": "[parameters('ArmisSecretKey')]",
-                        "ArmisURL": "[parameters('ArmisURL')]",
+                        "ArmisURL": "[parameters('ArmisBaseURL')]",
                         "ArmisAlertsTableName": "[parameters('ArmisAlertsTableName')]",
                         "ArmisActivitiesTableName": "[parameters('ArmisActivitiesTableName')]",
                         "Schedule": "[parameters('ArmisSchedule')]",
-                        "AvoidDuplicates": "[parameters('AvoidDuplicates')]",
                         "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ArmisAlertsActivities-functionapp"
                     }
                 }
diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt
index 19af94f97bf..52584d6099a 100644
--- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt	
+++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt	
@@ -4,4 +4,5 @@
 
 azure-functions
 azure-storage-file-share==12.3.0
-requests
\ No newline at end of file
+requests
+azure-data-tables==12.1.0
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip
index ed587195be0..52989053567 100644
Binary files a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip and b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip differ
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py
index affc715087b..1cf4cbfa52d 100644
--- a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py	
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py	
@@ -1,4 +1,5 @@
 """This __init__ file will be called once the trigger is generated."""
+
 import datetime
 import logging
 import azure.functions as func
@@ -7,17 +8,23 @@
 import hmac
 import json
 import os
+import time
 import requests
 from .state_manager import StateManager
-from Exceptions.ArmisExceptions import ArmisException, ArmisDataNotFoundException
+from .exports_store import ExportsTableStore
+from Exceptions.ArmisExceptions import (
+    ArmisException,
+    ArmisDataNotFoundException,
+    ArmisTimeOutException,
+)
+
 
 API_KEY = os.environ["ArmisSecretKey"]
 url = os.environ["ArmisURL"]
 connection_string = os.environ["AzureWebJobsStorage"]
 customer_id = os.environ["WorkspaceID"]
 shared_key = os.environ["WorkspaceKey"]
-armis_devices = os.environ["ArmisDeviceTableName"]
-is_avoid_duplicates = os.environ["AvoidDuplicates"]
+armis_devices_table_name = os.environ["ArmisDeviceTableName"]
 
 HTTP_ERRORS = {
     400: "Armis Device Connector: Bad request: Missing aql parameter.",
@@ -28,19 +35,47 @@
     "HOST_CONNECTION_ERROR": "Armis Device Connector: Invalid host while verifying 'armis account'.",
 }
 
+CHECKPOINT_TABLE_NAME = "ArmisDeviceCheckpoint"
+DEVICE_FIELD_LIST = [
+    "accessSwitch",
+    "category",
+    "firstSeen",
+    "id",
+    "ipAddress",
+    "lastSeen",
+    "macAddress",
+    "manufacturer",
+    "model",
+    "name",
+    "operatingSystem",
+    "operatingSystemVersion",
+    "riskLevel",
+    "sensor",
+    "site",
+    "tags",
+    "type",
+    "user",
+    "visibility",
+    "serialNumber",
+    "plcModule",
+    "purdueLevel",
+    "firmwareVersion",
+]
+MAX_RETRY = 5
+FUNCTION_APP_TIMEOUT_SECONDS = 570
 body = ""
 
 
 class ArmisDevice:
     """This class will process the Device data and post it into the Microsoft sentinel."""
 
-    def __init__(self):
+    def __init__(self, start_time):
         """__init__ method will initialize object of class."""
+        self.start_time = start_time
         self._link = url
         self._header = {}
         self._secret_key = API_KEY
         self._data_device_from = 0
-        self._retry_device_token = 1
 
     def _get_access_token_device(self, armis_link_suffix):
         """
@@ -53,36 +88,68 @@ def _get_access_token_device(self, armis_link_suffix):
         if self._secret_key is not None and self._link is not None:
             body = {"secret_key": self._secret_key}
             try:
-                response = requests.post(
-                    (self._link + armis_link_suffix), data=body
-                )
+                response = requests.post((self._link + armis_link_suffix), data=body)
                 if response.status_code == 200:
                     logging.info("Armis Device Connector: Getting access token.")
-                    _access_token = json.loads(response.text)["data"]["access_token"]
+                    response = response.json()
+                    _access_token = response.get("data", {}).get("access_token")
                     self._header.update({"Authorization": _access_token})
                 elif response.status_code == 400:
                     raise ArmisException(
                         "Armis Device Connector: Please check either armis URL or armis secret key is wrong."
                     )
-
                 else:
                     raise ArmisException(
-                        "Armis Device Connector: Error while generating the access token. error code: {}.".format(
-                            response.status_code
+                        "Armis Device Connector: Error while generating the access token. Code: {} Message: {}.".format(
+                            response.status_code, response.text
                         )
                     )
-
             except ArmisException as err:
                 logging.error(err)
                 raise ArmisException(
                     "Armis Device Connector: Error while generating the access token."
                 )
-
         else:
             raise ArmisException(
                 "Armis Device Connector: The secret key or link has not been initialized."
             )
 
+    def validate_timestamp(self, last_seen_time):
+        """function is used to validate the timestamp format. The timestamp should be in
+        ISO 8601 format 'YYYY-MM-DDTHH:MM:SS'. If the timestamp is not in correct format, it will
+        be formatted according to the given timestamp format.
+
+        Args:
+            last_seen_time (String): Timestamp string to be validated.
+
+        Returns:
+            String: Validated timestamp string.
+        """
+        try:
+            if len(last_seen_time) != 19:
+                if len(last_seen_time) == 10:
+                    last_seen_time += "T00:00:00"
+                    logging.info(
+                        "Armis Device Connector: 'T:00:00:00' added as only date is available."
+                    )
+                else:
+                    splited_time = last_seen_time.split("T")
+                    if len(splited_time[1]) == 5:
+                        splited_time[1] += ":00"
+                        logging.info(
+                            "Armis Device Connector: ':00' added as seconds not available."
+                        )
+                    elif len(splited_time[1]) == 2:
+                        splited_time[1] += ":00:00"
+                        logging.info(
+                            "Armis Device Connector: ':00:00' added as only hour is available."
+                        )
+                    last_seen_time = "T".join(splited_time)
+            return last_seen_time
+        except Exception as err:
+            logging.error("Armis Device Connector: Error occurred: {}".format(err))
+            raise ArmisException(err)
+
     def _get_device_data(self, armis_link_suffix, parameter):
         """Get_device_data is used to get data using api.
 
@@ -93,80 +160,82 @@ def _get_device_data(self, armis_link_suffix, parameter):
 
         """
         try:
+            for i in range(MAX_RETRY + 1):
+                response = requests.get(
+                    (self._link + armis_link_suffix),
+                    params=parameter,
+                    headers=self._header,
+                )
+                if response.status_code == 200:
+                    logging.info("Armis Device Connector: Status Code : 200")
+                    results = response.json()
 
-            response = requests.get(
-                (self._link + armis_link_suffix), params=parameter, headers=self._header
-            )
-            if response.status_code == 200:
-                logging.info("API connected successfully with Armis to fetch the data.")
-                results = json.loads(response.text)
+                    if results["data"]["count"] == 0:
+                        raise ArmisDataNotFoundException(
+                            "Armis Device Connector: Data not found."
+                        )
+
+                    if (
+                        "data" in results
+                        and "results" in results["data"]
+                        and "total" in results["data"]
+                        and "count" in results["data"]
+                        and "next" in results["data"]
+                    ):
+                        total_data_length = results["data"]["total"]
+                        count_per_frame_data = results["data"]["count"]
+                        data = results["data"]["results"]
+
+                        for i in data:
+                            i["armis_device_time"] = i["lastSeen"]
+
+                        logging.info(
+                            "Armis Device Connector: From {}, total length {}".format(
+                                self._data_device_from, total_data_length
+                            )
+                        )
+                        self._data_device_from = results["data"]["next"]
+                        last_seen_time = data[-1]["lastSeen"][:19]
+                        last_seen_time = self.validate_timestamp(last_seen_time)
+
+                        return (
+                            data,
+                            last_seen_time,
+                            total_data_length,
+                            count_per_frame_data,
+                        )
+                    else:
+                        raise ArmisException(
+                            "Armis Device Connector: There are no proper keys in data."
+                        )
 
-                if(results["data"]["count"] == 0):
-                    raise ArmisDataNotFoundException(
-                        "Armis Device Connector: Data not found."
+                elif response.status_code == 400:
+                    logging.error(
+                        "Armis Device Connector: Status Code : 400, Error: {}".format(
+                            HTTP_ERRORS[400]
+                        )
                     )
+                    raise ArmisException(HTTP_ERRORS[400])
 
-                if (
-                    "data" in results
-                    and "results" in results["data"]
-                    and "total" in results["data"]
-                    and "count" in results["data"]
-                    and "next" in results["data"]
-                ):
-                    total_data_length = results["data"]["total"]
-                    count_per_frame_data = results["data"]["count"]
-                    data = results["data"]["results"]
-
-                    for i in data:
-                        i["armis_device_time"] = i["lastSeen"]
-
-                    body = json.dumps(data)
+                elif response.status_code == 401:
                     logging.info(
-                        "Armis Device Connector: From %s length 1000",
-                        self._data_device_from,
+                        "Armis Device Connector: Retry number: {}".format(str(i + 1))
                     )
-                    self._data_device_from = results["data"]["next"]
-                    current_time = data[-1]["lastSeen"][:19]
-                    if len(current_time) != 19:
-                        if len(current_time) == 10:
-                            current_time += "T00:00:00"
-                            logging.info("Armis Device Connector: 'T:00:00:00' added as only date is available.")
-                        else:
-                            splited_time = current_time.split('T')
-                            if len(splited_time[1]) == 5:
-                                splited_time[1] += ":00"
-                                logging.info("Armis Device Connector: ':00' added as seconds not available.")
-                            elif len(splited_time[1]) == 2:
-                                splited_time[1] += ":00:00"
-                                logging.info("Armis Device Connector: ':00:00' added as only hour is available.")
-                            current_time = "T".join(splited_time)
-
-                    return body, current_time, total_data_length, count_per_frame_data
+                    logging.error(
+                        "Armis Device Connector: Status Code : 401, Error: {}".format(
+                            HTTP_ERRORS[401]
+                        )
+                    )
+                    self._get_access_token_device("/access_token/")
+                    continue
                 else:
                     raise ArmisException(
-                        "Armis Device Connector: There are no proper keys in data."
-                    )
-
-            elif response.status_code == 400:
-                raise ArmisException(HTTP_ERRORS[400])
-
-            elif response.status_code == 401 and self._retry_device_token <= 3:
-                logging.info(
-                    "Armis Device Connector: Retry number: {}".format(
-                        str(self._retry_device_token)
-                    )
-                )
-                self._retry_device_token += 1
-                logging.error(HTTP_ERRORS[401])
-                logging.info("Armis Device Connector: Generating access token again!")
-                self._get_access_token_device("/access_token/")
-                return self._get_device_data(armis_link_suffix, parameter)
-            else:
-                raise ArmisException(
-                    "Armis Device Connector: Error while fetching data. status Code:{} error message:{}.".format(
-                        response.status_code, response.text
+                        "Armis Device Connector: Error while fetching data. status Code:{} error message:{}.".format(
+                            response.status_code, response.text
+                        )
                     )
-                )
+            logging.error("Armis Device Connector: Max retry reached.")
+            raise ArmisException("Armis Device Connector: Max retry reached.")
 
         except requests.exceptions.ConnectionError:
             logging.error(ERROR_MESSAGES["HOST_CONNECTION_ERROR"])
@@ -191,41 +260,42 @@ def _get_device_data(self, armis_link_suffix, parameter):
             raise ArmisDataNotFoundException()
 
     def _fetch_device_data(
-        self, type_data, state, table_name, is_table_not_exist, last_time=None
+        self,
+        checkpoint_table_object: ExportsTableStore,
+        table_name,
+        last_seen_not_available,
+        last_time=None,
     ):
         """Fetch_device_data is used to push all the data into table.
 
         Args:
-            self: Armis object.
-            type_data (json): will contain the json data to use in the _get_links function.
-            state (object): StateManager object.
+            checkpoint_table_object (object): Azure Storage table object.
             table_name (String): table name to store the data in microsoft sentinel.
-            is_table_not_exist (bool): it is a flag that contains the value if table exists or not.
+            last_seen_not_available (bool): it is a flag that contains the value if last seen exists or not.
             last_time (String): it will contain latest time stamp.
         """
         try:
-            self._get_access_token_device("/access_token/")
-            if is_table_not_exist:
-                aql_data = """{}""".format(type_data["aql"])
+            if last_seen_not_available:
+                aql_data = "in:devices"
             else:
-                aql_data = """{} after:{}""".format(type_data["aql"], last_time)
-            type_data["aql"] = aql_data
-            logging.info(
-                "Armis Device Connector: aql data new " + str(type_data["aql"])
-            )
+                aql_data = "in:devices after:{}".format(last_time)
+            logging.info("Armis Device Connector: aql query: " + aql_data)
+            self._get_access_token_device("/access_token/")
 
             azuresentinel = AzureSentinel()
+            parameter_device = {
+                "aql": aql_data,
+                "orderBy": "lastSeen",
+                "length": 1000,
+                "fields": ",".join(DEVICE_FIELD_LIST),
+            }
             while self._data_device_from is not None:
-                parameter_device = {
-                    "aql": type_data["aql"],
-                    "from": self._data_device_from,
-                    "orderBy": "lastSeen",
-                    "length": 1000,
-                    "fields": type_data["fields"],
-                }
+                if int(time.time()) >= self.start_time + FUNCTION_APP_TIMEOUT_SECONDS:
+                    raise ArmisTimeOutException()
+                parameter_device.update({"from": self._data_device_from})
                 (
-                    body,
-                    current_time,
+                    data,
+                    last_seen_time,
                     total_data_length,
                     count_per_frame_data,
                 ) = self._get_device_data("/search/", parameter_device)
@@ -233,37 +303,51 @@ def _fetch_device_data(
                     "Armis Device Connector: Total length of data is %s ",
                     total_data_length,
                 )
-                logging.info("Armis Device Connector:  Data collection is done successfully.")
-                azuresentinel.post_data(customer_id, body, table_name)
+                azuresentinel.post_data(customer_id, json.dumps(data), table_name)
                 logging.info(
-                    "Armis Device Connector: Collected %s device data into microsoft sentinel.",
+                    "Armis Device Connector: Collected %s device data and ingested into sentinel.",
                     count_per_frame_data,
                 )
-                state.post(str(current_time))
-                logging.info(
-                    "Armis Device Connector: Timestamp added at: " + str(current_time)
-                )
-                logging.info(
-                    "Armis Device Connector: Timestamp added into the StateManager successfully."
-                )
 
-            if(str(is_avoid_duplicates).lower() == "true"):
-                current_time = datetime.datetime.strptime(current_time, '%Y-%m-%dT%H:%M:%S')
-                current_time += datetime.timedelta(seconds=1)
-                current_time = current_time.strftime('%Y-%m-%dT%H:%M:%S')
-                state.post(str(current_time))
-                logging.info("Armis Device Connector: Last timestamp with plus one second that is added at: {}".format(
-                    current_time)
+                if self._data_device_from is not None:
+                    checkpoint_table_object.merge(
+                        "armisdevice",
+                        "devicecheckpoint",
+                        {"offset": self._data_device_from},
+                    )
+                    logging.info(
+                        "Armis Device Connector: Offset updated in Checkpoint table as: "
+                        + str(self._data_device_from)
+                    )
+
+            logging.info(
+                "Armis Device Connector: Data collection and ingestion is completed till last_seen: {}".format(
+                    last_seen_time
+                )
+            )
+            last_seen_time = datetime.datetime.strptime(
+                last_seen_time, "%Y-%m-%dT%H:%M:%S"
+            )
+            last_seen_time += datetime.timedelta(seconds=1)
+            last_seen_time = last_seen_time.strftime("%Y-%m-%dT%H:%M:%S")
+            checkpoint_table_object.merge(
+                "armisdevice",
+                "devicecheckpoint",
+                {"last_seen": last_seen_time, "offset": 0},
+            )
+            logging.info(
+                "Armis Device Connector: Set last_seen '{}' and offset '0' in Checkpoint table".format(
+                    last_seen_time
                 )
-                logging.info("Armis Device Connector: "
-                             + "Last timestamp is added with plus one second into the StateManager successfully.")
+            )
 
         except ArmisException as err:
             logging.error(err)
             raise ArmisException(
                 "Armis Device Connector: Error while processing the data."
             )
-
+        except ArmisTimeOutException:
+            raise ArmisTimeOutException()
         except ArmisDataNotFoundException:
             raise ArmisDataNotFoundException()
 
@@ -274,50 +358,100 @@ def check_data_exists_or_not_device(self):
             self: Armis object.
 
         """
-        device_field_list = ["accessSwitch", "category", "firstSeen", "id", "ipAddress", "lastSeen",
-                             "macAddress", "manufacturer", "model", "name", "operatingSystem",
-                             "operatingSystemVersion", "riskLevel", "sensor", "site", "tags", "type", "user",
-                             "visibility", "serialNumber", "plcModule", "purdueLevel", "firmwareVersion"]
+
         try:
-            parameter_devices = {
-                "aql": "in:devices",
-                "orderBy": "lastSeen",
-                "fields": ','.join(device_field_list),
-            }
-            state_devices = StateManager(
+            self.state_devices = StateManager(
                 connection_string=connection_string, file_path="funcarmisdevicesfile"
             )
-            last_time_devices = state_devices.get()
-            if last_time_devices is None:
+            checkpoint_table_obj = ExportsTableStore(
+                connection_string=connection_string, table_name=CHECKPOINT_TABLE_NAME
+            )
+            last_time_devices = self.state_devices.get()
+
+            if last_time_devices is not None:
                 logging.info(
-                    "Armis Device Connector: The last run timestamp is not available for the devices!"
+                    "Armis Device Connector: The checkpoint file in file share is available for device endpoint."
                 )
-                self._fetch_device_data(
-                    parameter_devices,
-                    state_devices,
-                    armis_devices,
-                    True,
-                    last_time_devices,
+                logging.info(
+                    "Armis Device Connector: Last timestamp stored in file for devices: {}".format(
+                        last_time_devices
+                    )
                 )
-                logging.info("Armis Device Connector: Data ingestion initiated.")
-            else:
+                logging.info("Armis Device Connector: Creating Checkpoint table.")
+                checkpoint_table_obj.create()
+
                 logging.info(
-                    "Armis Device Connector: The last time point is available in devices: {}.".format(
+                    "Armis Device Connector: Storing value in Checkpoint table - last_seen: {}, offset: 0".format(
                         last_time_devices
                     )
                 )
+                checkpoint_table_obj.merge(
+                    "armisdevice",
+                    "devicecheckpoint",
+                    {"last_seen": last_time_devices, "offset": 0},
+                )
+                self.state_devices.delete()
+                logging.info(
+                    "Armis Device Connector: Checkpoint file deleted from fileshare."
+                )
                 self._fetch_device_data(
-                    parameter_devices,
-                    state_devices,
-                    armis_devices,
+                    checkpoint_table_obj,
+                    armis_devices_table_name,
                     False,
                     last_time_devices,
                 )
+                return
+
+            # last_time_devices is None
+            is_last_seen_not_available = False
+            record = checkpoint_table_obj.get("armisdevice", "devicecheckpoint")
+            if not record:
+                # first iteration and start from the beginning
+                logging.info("Armis Device Connector: Creating Checkpoint table.")
+                checkpoint_table_obj.create()
+                checkpoint_table_obj.post(
+                    "armisdevice", "devicecheckpoint", {"offset": 0}
+                )
+                is_last_seen_not_available = True
+            else:
+                logging.info(
+                    "Armis Device Connector: Fetching Entity from Checkpoint table: {}".format(
+                        CHECKPOINT_TABLE_NAME
+                    )
+                )
+                last_time_devices = record.get("last_seen")
+                self._data_device_from = (
+                    record.get("offset") if record.get("offset") else 0
+                )
                 logging.info(
-                    "Armis Device Connector: Data added when logs was already in %s.",
-                    armis_devices,
+                    "Armis Device Connector: Checkpoint table: {} last_seen: {}, offset: {}".format(
+                        armis_devices_table_name,
+                        last_time_devices,
+                        self._data_device_from,
+                    )
                 )
-            logging.info("Armis Device Connector: Device data added successfully !")
+                if last_time_devices is None:
+                    logging.info(
+                        "Armis Device Connector: last_seen value not available in checkpoint table."
+                    )
+                    is_last_seen_not_available = True
+                else:
+                    logging.info(
+                        "Armis Device Connector: last_seen value is available in checkpoint table."
+                    )
+
+            self._fetch_device_data(
+                checkpoint_table_obj,
+                armis_devices_table_name,
+                is_last_seen_not_available,
+                last_time_devices,
+            )
+
+        except ArmisTimeOutException:
+            logging.info(
+                "Armis Device Connector: 9:30 mins executed hence stopping the execution"
+            )
+            return
         except ArmisException as err:
             logging.error(err)
             raise ArmisException(
@@ -368,7 +502,7 @@ def post_data(self, customer_id, body, log_type):
         resource = "/api/logs"
         rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")
         content_length = len(body)
-        timestamp_date = 'armis_device_time'
+        timestamp_date = "armis_device_time"
         try:
             signature = self.build_signature(
                 rfc1123date,
@@ -433,8 +567,8 @@ def main(mytimer: func.TimerRequest) -> None:
         "Armis Device Connector: Python timer trigger function ran at %s",
         utc_timestamp,
     )
-
-    armis_obj = ArmisDevice()
+    start_time = time.time()
+    armis_obj = ArmisDevice(start_time)
     try:
         armis_obj.check_data_exists_or_not_device()
     except ArmisDataNotFoundException:
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py
new file mode 100644
index 00000000000..cf138d51f14
--- /dev/null
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py	
@@ -0,0 +1,88 @@
+import logging
+from azure.data.tables import TableClient, UpdateMode
+from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError, HttpResponseError
+
+
+class ExportsTableStore:
+
+    def __init__(self, connection_string, table_name):
+        self.connection_string = connection_string
+        self.table_name = table_name
+
+    def create(self):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            try:
+                table_client.create_table()
+                logging.info("Checkpoint Table created")
+            except ResourceExistsError:
+                logging.warning("Table already exists")
+
+    def post(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            try:
+                table_client.create_entity(entity_template)
+            except Exception as e:
+                logging.warning("could not post entity to table")
+                logging.warning(e)
+                raise e
+
+    def get(self, pk: str, rk: str):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            try:
+                logging.info(
+                    "looking for {} - {} on table {}".format(pk, rk, self.table_name))
+                return table_client.get_entity(pk, rk)
+            except ResourceNotFoundError:
+                return None
+
+    def upsert(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name))
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            return table_client.upsert_entity(mode=UpdateMode.REPLACE, entity=entity_template)
+
+    def update_if_found(self, pk: str, rk: str, data: dict = None):
+        if self.get(pk, rk) is not None:
+            self.merge(pk, rk, data)
+
+    def query_by_partition_key(self, pk):
+        table_client = TableClient.from_connection_string(
+            self.connection_string, self.table_name)
+        parameters = {u"key": pk}
+        name_filter = u"PartitionKey eq @key"
+        try:
+            return table_client.query_entities(name_filter, parameters=parameters)
+        except HttpResponseError as e:
+            print(e.message)
+            return []
+
+    def batch(self, operations):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            return table_client.submit_transaction(operations=operations)
+
+    def list_all(self):
+        table_client = TableClient.from_connection_string(
+            self.connection_string, self.table_name)
+        return table_client.list_entities()
+
+    def merge(self, pk: str, rk: str, data: dict = None):
+        with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
+            logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name))
+            entity_template = {
+                "PartitionKey": pk,
+                "RowKey": rk,
+            }
+            if data is not None:
+                entity_template.update(data)
+            return table_client.upsert_entity(mode=UpdateMode.MERGE, entity=entity_template)
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py
index 92eac7ac99b..50a6fbeed8e 100644
--- a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py	
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py	
@@ -35,3 +35,13 @@ def get(self):
             return self.file_cli.download_file().readall().decode()
         except ResourceNotFoundError:
             return None
+
+    def delete(self):
+        """Delete method for deleting the data from Azure Storage.
+
+        This method will delete the file from Azure Storage.
+        """
+        try:
+            self.file_cli.delete_file()
+        except ResourceNotFoundError:
+            raise ResourceNotFoundError("File not found to be deleted.")
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py b/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py
index 511169b052f..8e999d742e7 100644
--- a/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py	
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py	
@@ -11,3 +11,9 @@ class ArmisDataNotFoundException(Exception):
     """ArmisDataNotFoundException class will inherit Exception class."""
 
     pass
+
+
+class ArmisTimeOutException(Exception):
+    """ArmisTimeOutException class will inherit Exception class."""
+
+    pass
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json b/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json
index a3787ccad14..0c48580a92a 100644
--- a/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json	
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json	
@@ -10,31 +10,43 @@
         },
         "WorkspaceID": {
             "type": "string",
-            "defaultValue": "<workspaceID>"
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter Workspace ID of Log Analytics Workspace"
+            }
         },
         "WorkspaceKey": {
             "type": "securestring",
-            "defaultValue": "<workspaceKey>"
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter Primary Key of Log Analytics Workspace"
+            }
         },
         "ArmisSecretKey": {
             "type": "securestring",
-            "defaultValue": "<ArmisSecretKey>"
+            "metadata": {
+                "description": "Enter Armis Secret Key for Authentication"
+            }
         },
-        "ArmisURL":{
+        "ArmisBaseURL":{
             "type": "string",
-            "defaultValue": "<ArmisURL>"
+            "metadata": {
+                "description": "Enter Base URL starting with \"https://\" followed by hostname(Example: https://[armis-instance].armis.com/api/v1)"
+            }
         },
         "ArmisDeviceTableName":{
             "type": "string",
-            "defaultValue": "Armis_Devices_CL"
+            "defaultValue": "Armis_Devices_CL",
+            "metadata": {
+                "description": "Enter name of the table used to store Armis Devices logs. Default is 'Armis_Devices_CL'"
+            }
         },
         "ArmisSchedule":{
             "type": "string",
-            "defaultValue": "<Cron Expression>"
-        },
-        "AvoidDuplicates":{
-            "type": "bool",
-            "defaultValue": true
+            "defaultValue": "0 */25 * * * *",
+            "metadata": {
+                "description": "Enter a valid Quartz Cron-Expression (Example: 0 0 0 * * *)"
+            }
         },
         "AppInsightsWorkspaceResourceID": {
             "type": "string",
@@ -91,7 +103,8 @@
                         }
                     },
                     "keySource": "Microsoft.Storage"
-                }
+                },
+                "minimumTlsVersion": "TLS1_2"
             }
         },
         {
@@ -172,10 +185,9 @@
                         "WorkspaceID": "[parameters('WorkspaceID')]",
                         "WorkspaceKey": "[parameters('WorkspaceKey')]",
                         "ArmisSecretKey": "[parameters('ArmisSecretKey')]",
-                        "ArmisURL": "[parameters('ArmisURL')]",
+                        "ArmisURL": "[parameters('ArmisBaseURL')]",
                         "ArmisDeviceTableName": "[parameters('ArmisDeviceTableName')]",
                         "Schedule": "[parameters('ArmisSchedule')]",
-                        "AvoidDuplicates": "[parameters('AvoidDuplicates')]",
                         "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ArmisDevice-functionapp"
                     }
                 }
diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt b/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt
index a1e7bb9f903..52584d6099a 100644
--- a/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt	
+++ b/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt	
@@ -5,3 +5,4 @@
 azure-functions
 azure-storage-file-share==12.3.0
 requests
+azure-data-tables==12.1.0
diff --git a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json
index dcd9becf56e..b0a458f3586 100644
--- a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json	
+++ b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json	
@@ -16,7 +16,7 @@
     "Workbooks/AzureKeyVaultWorkbook.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure Key Vault",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
diff --git a/Solutions/Azure Key Vault/Package/3.0.3.zip b/Solutions/Azure Key Vault/Package/3.0.3.zip
new file mode 100644
index 00000000000..3d363788769
Binary files /dev/null and b/Solutions/Azure Key Vault/Package/3.0.3.zip differ
diff --git a/Solutions/Azure Key Vault/Package/createUiDefinition.json b/Solutions/Azure Key Vault/Package/createUiDefinition.json
index 1911cd6292c..611179ced7e 100644
--- a/Solutions/Azure Key Vault/Package/createUiDefinition.json	
+++ b/Solutions/Azure Key Vault/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n  • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -166,7 +166,7 @@
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise"
+                  "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise"
                 }
               }
             ]
@@ -180,7 +180,7 @@
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052"
+                  "text": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052"
                 }
               }
             ]
diff --git a/Solutions/Azure Key Vault/Package/mainTemplate.json b/Solutions/Azure Key Vault/Package/mainTemplate.json
index e2ee7101852..015ceca609d 100644
--- a/Solutions/Azure Key Vault/Package/mainTemplate.json	
+++ b/Solutions/Azure Key Vault/Package/mainTemplate.json	
@@ -41,7 +41,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Azure Key Vault",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "azuresentinel.azure-sentinel-solution-azurekeyvault",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "AzureKeyVault",
@@ -61,18 +61,18 @@
       "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d6491be0-ab2d-439d-95d6-ad8ea39277c5','-', '1.0.4')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.7",
+      "analyticRuleVersion2": "1.0.8",
       "_analyticRulecontentId2": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.7')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.8')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.5",
+      "analyticRuleVersion3": "1.0.6",
       "_analyticRulecontentId3": "0914adab-90b5-47a3-a79f-7cdcac843aa7",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0914adab-90b5-47a3-a79f-7cdcac843aa7')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0914adab-90b5-47a3-a79f-7cdcac843aa7')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.5')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.6')))]"
     },
     "analyticRuleObject4": {
       "analyticRuleVersion4": "1.0.2",
@@ -100,7 +100,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Azure Key Vault data connector with template version 3.0.2",
+        "description": "Azure Key Vault data connector with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -259,7 +259,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -269,7 +269,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -303,16 +303,16 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "AadUserId",
-                        "identifier": "AadUserId"
+                        "identifier": "AadUserId",
+                        "columnName": "AadUserId"
                       },
                       {
-                        "columnName": "Name",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "Name"
                       },
                       {
-                        "columnName": "UPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UPNSuffix"
                       }
                     ],
                     "entityType": "Account"
@@ -320,8 +320,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "CallerIPMax",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "CallerIPMax"
                       }
                     ],
                     "entityType": "IP"
@@ -380,7 +380,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -390,11 +390,11 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+                "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
                 "displayName": "Mass secret retrieval from Azure Key Vault",
                 "enabled": false,
                 "query": "let DistinctSecretsThreshold = 10;\nlet EventCountThreshold = 50;\n// To avoid any False Positives, filtering using AppId is recommended.\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\nlet AllowedAppId = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\",\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\"]);\nlet OperationList = dynamic([\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where OperationName in (OperationList) and ResourceType =~ \"VAULTS\"\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')\n| extend\n    ResourceId,\n    ResultType = column_ifexists(\"ResultType\", \"\"),\n    identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"\"),\n    identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\", \"\"),\n    identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n    identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n    CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n    CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| as _Retrievals\n| where CallerObjectId in (toscalar(\n    _Retrievals\n    | where ResultType == \"Success\"\n    | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\n    | where Count > DistinctSecretsThreshold\n    | summarize make_set(CallerObjectId,10000)\n))\n| extend\n    requestUri_s = column_ifexists(\"requestUri_s\", \"\"),\n    id_s = column_ifexists(\"id_s\", \"\"),\n    CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"\"),\n    clientInfo_s = column_ifexists(\"clientInfo_s\", \"\")\n| summarize\n    EventCount = count(),\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    ResourceList = make_set(Resource, 50),\n    OperationNameList = make_set(OperationName, 50),\n    RequestURLList = make_set(requestUri_s, 50),\n    ResourceId = max(ResourceId),\n    CallerIPList = make_set(CallerIPAddress, 50),\n    clientInfo_sList = make_set(clientInfo_s, 50),\n    CallerIPMax = max(CallerIPAddress)\n    by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\n    | where EventCount > EventCountThreshold\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\n| extend timestamp = EndTime\n",
@@ -424,8 +424,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "CallerObjectId",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "CallerObjectId"
                       }
                     ],
                     "entityType": "Account"
@@ -433,8 +433,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "CallerIPMax",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "CallerIPMax"
                       }
                     ],
                     "entityType": "IP"
@@ -493,7 +493,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -503,11 +503,11 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+                "description": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
                 "displayName": "Azure Key Vault access TimeSeries anomaly",
                 "enabled": false,
                 "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n  | where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend ResultType = column_ifexists(\"ResultType\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join kind = innerunique (\nAzureDiagnostics\n| where TimeGenerated > ago(2d)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = column_ifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = column_ifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\"),identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n  identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n    CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n    CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| extend id_s = column_ifexists(\"id_s\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = column_ifexists(\"clientInfo_s\", \"None\")\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\n) on CallerIPAddress\n| extend\n    CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n    CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime\n",
@@ -537,8 +537,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "AccountMax",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountMax"
                       }
                     ],
                     "entityType": "Account"
@@ -546,8 +546,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "CallerIPAddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "CallerIPAddress"
                       }
                     ],
                     "entityType": "IP"
@@ -606,7 +606,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -616,7 +616,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -646,16 +646,16 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "AadUserId",
-                        "identifier": "AadUserId"
+                        "identifier": "AadUserId",
+                        "columnName": "AadUserId"
                       },
                       {
-                        "columnName": "Name",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "Name"
                       },
                       {
-                        "columnName": "UPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UPNSuffix"
                       }
                     ],
                     "entityType": "Account"
@@ -663,8 +663,8 @@
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "CallerIPMax",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "CallerIPMax"
                       }
                     ],
                     "entityType": "IP"
@@ -723,7 +723,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.2",
+        "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -815,12 +815,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Azure Key Vault",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p><a href=\"https://azure.microsoft.com/services/key-vault/\">Azure Key Vault</a> Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 4</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://azure.microsoft.com/services/key-vault/\">Azure Key Vault</a> Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 4</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/Azure Key Vault/ReleaseNotes.md b/Solutions/Azure Key Vault/ReleaseNotes.md
index 415bb430e2c..aa377b06a6f 100644
--- a/Solutions/Azure Key Vault/ReleaseNotes.md	
+++ b/Solutions/Azure Key Vault/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                       |
-|-------------|--------------------------------|--------------------------------------------------------------------------|            
+|-------------|--------------------------------|--------------------------------------------------------------------------|   
+| 3.0.3       | 25-10-2024                     | Updated description of CreateUi and **Analytic Rule**					  |         
 | 3.0.2       | 14-02-2024                     | Updated Entity Mapping for KeyVaultSensitiveOperations and NRT_KeyVaultSensitiveOperations **Analytic Rules** to render the GUID information correctly| 
 | 3.0.1       | 01-02-2024                     | Updated ObjectGuid Identifier with Name (KeyvaultMassSecretRetrieval) **Analytic Rule** to render the GUID information correctly| 
 | 3.0.0       | 03-01-2024                     | Added field ResourceId in (KeyvaultMassSecretRetrieval) **Analytic Rule** for proper Entity Mapping| 
diff --git a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json
index 723b7d6fbe4..9b3b76b66a4 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json	
+++ b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json	
@@ -33,7 +33,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure SQL Database solution for sentinel",
-  "Version": "2.0.2",
+  "Version": "3.0.0",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
     "AzureSql"
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip
new file mode 100644
index 00000000000..c1f27fdb92d
Binary files /dev/null and b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip differ
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json
index 634c34dc2f3..9eb10a7f8cc 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json	
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzureSQL.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzureSQL.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector for ingesting Azure SQL Database audit and diagnostic logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Azure SQL Database solution for sentinel. You can get Azure SQL Database solution for sentinel custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -264,7 +264,7 @@
                 "name": "analytic9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)."
+                  "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)."
                 }
               }
             ]
@@ -278,7 +278,7 @@
                 "name": "analytic10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)."
+                  "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)."
                 }
               }
             ]
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json
index c26dec754fb..cc6b49ef992 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json	
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json	
@@ -38,144 +38,151 @@
     }
   },
   "variables": {
-    "solutionId": "sentinel4sql.sentinel4sql",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
+    "_solutionName": "Azure SQL Database solution for sentinel",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "sentinel4sql.sentinel4sql",
+    "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "AzureSQLSecurityWorkbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
     "_workbookContentId1": "[variables('workbookContentId1')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
-    "analyticRuleVersion1": "1.1.1",
-    "analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7",
-    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
-    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
-    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
-    "analyticRuleVersion2": "1.1.1",
-    "analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08",
-    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
-    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
-    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
-    "analyticRuleVersion3": "1.1.1",
-    "analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de",
-    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
-    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
-    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
-    "analyticRuleVersion4": "1.1.1",
-    "analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9",
-    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
-    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
-    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
-    "analyticRuleVersion5": "1.1.1",
-    "analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490",
-    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
-    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
-    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
-    "analyticRuleVersion6": "1.1.1",
-    "analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7",
-    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
-    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
-    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
-    "analyticRuleVersion7": "1.1.1",
-    "analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2",
-    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
-    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
-    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
-    "analyticRuleVersion8": "1.1.1",
-    "analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d",
-    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
-    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
-    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
-    "analyticRuleVersion9": "1.1.1",
-    "analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10",
-    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
-    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
-    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
-    "analyticRuleVersion10": "1.1.1",
-    "analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e",
-    "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
-    "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
-    "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]",
-    "huntingQueryVersion1": "1.0.1",
-    "huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b",
-    "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
-    "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
-    "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
-    "huntingQueryVersion2": "1.0.1",
-    "huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7",
-    "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
-    "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
-    "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
-    "huntingQueryVersion3": "1.0.0",
-    "huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd",
-    "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
-    "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
-    "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
-    "huntingQueryVersion4": "1.0.1",
-    "huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad",
-    "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
-    "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
-    "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
-    "huntingQueryVersion5": "1.0.1",
-    "huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38",
-    "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
-    "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
-    "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
-    "huntingQueryVersion6": "1.0.1",
-    "huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69",
-    "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
-    "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
-    "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
-    "huntingQueryVersion7": "1.0.1",
-    "huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893",
-    "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
-    "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
-    "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
-    "huntingQueryVersion8": "1.0.1",
-    "huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8",
-    "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
-    "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
-    "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+    "analyticRuleObject1": {
+      "analyticRuleVersion1": "1.1.1",
+      "_analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7",
+      "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'daa32afa-b5b6-427d-93e9-e32f3f359dd7')]",
+      "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('daa32afa-b5b6-427d-93e9-e32f3f359dd7')))]",
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','daa32afa-b5b6-427d-93e9-e32f3f359dd7','-', '1.1.1')))]"
+    },
+    "analyticRuleObject2": {
+      "analyticRuleVersion2": "1.1.1",
+      "_analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08",
+      "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '20f87813-3de0-4a9f-a8c0-6aaa3187be08')]",
+      "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('20f87813-3de0-4a9f-a8c0-6aaa3187be08')))]",
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','20f87813-3de0-4a9f-a8c0-6aaa3187be08','-', '1.1.1')))]"
+    },
+    "analyticRuleObject3": {
+      "analyticRuleVersion3": "1.1.1",
+      "_analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de",
+      "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c815008d-f4d1-4645-b13b-8b4bc188d5de')]",
+      "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c815008d-f4d1-4645-b13b-8b4bc188d5de')))]",
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c815008d-f4d1-4645-b13b-8b4bc188d5de','-', '1.1.1')))]"
+    },
+    "analyticRuleObject4": {
+      "analyticRuleVersion4": "1.1.1",
+      "_analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9",
+      "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '237c3855-138c-4588-a68f-b870abd3bfc9')]",
+      "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('237c3855-138c-4588-a68f-b870abd3bfc9')))]",
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','237c3855-138c-4588-a68f-b870abd3bfc9','-', '1.1.1')))]"
+    },
+    "analyticRuleObject5": {
+      "analyticRuleVersion5": "1.1.1",
+      "_analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490",
+      "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3367fd5e-44b3-4746-a9a5-dc15c8202490')]",
+      "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3367fd5e-44b3-4746-a9a5-dc15c8202490')))]",
+      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3367fd5e-44b3-4746-a9a5-dc15c8202490','-', '1.1.1')))]"
+    },
+    "analyticRuleObject6": {
+      "analyticRuleVersion6": "1.1.1",
+      "_analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7",
+      "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '05030ca6-ef66-42ca-b672-2e84d4aaf5d7')]",
+      "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('05030ca6-ef66-42ca-b672-2e84d4aaf5d7')))]",
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05030ca6-ef66-42ca-b672-2e84d4aaf5d7','-', '1.1.1')))]"
+    },
+    "analyticRuleObject7": {
+      "analyticRuleVersion7": "1.1.1",
+      "_analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2",
+      "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dabd7284-004b-4237-b5ee-a22acab19eb2')]",
+      "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dabd7284-004b-4237-b5ee-a22acab19eb2')))]",
+      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dabd7284-004b-4237-b5ee-a22acab19eb2','-', '1.1.1')))]"
+    },
+    "analyticRuleObject8": {
+      "analyticRuleVersion8": "1.1.1",
+      "_analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d",
+      "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c105513d-e398-4a02-bd91-54b9b2d6fa7d')]",
+      "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c105513d-e398-4a02-bd91-54b9b2d6fa7d')))]",
+      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c105513d-e398-4a02-bd91-54b9b2d6fa7d','-', '1.1.1')))]"
+    },
+    "analyticRuleObject9": {
+      "analyticRuleVersion9": "1.1.2",
+      "_analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10",
+      "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2a632013-379d-4993-956f-615063d31e10')]",
+      "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2a632013-379d-4993-956f-615063d31e10')))]",
+      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2a632013-379d-4993-956f-615063d31e10','-', '1.1.2')))]"
+    },
+    "analyticRuleObject10": {
+      "analyticRuleVersion10": "1.1.2",
+      "_analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e",
+      "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9851c360-5fd5-4bae-a117-b66d8476bf5e')]",
+      "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9851c360-5fd5-4bae-a117-b66d8476bf5e')))]",
+      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9851c360-5fd5-4bae-a117-b66d8476bf5e','-', '1.1.2')))]"
+    },
+    "huntingQueryObject1": {
+      "huntingQueryVersion1": "1.0.1",
+      "_huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b",
+      "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('724c7010-0afe-4d46-95ab-32f6737e658b')))]"
+    },
+    "huntingQueryObject2": {
+      "huntingQueryVersion2": "1.0.1",
+      "_huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7",
+      "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4cda0673-37f9-4765-af1f-556de2295cd7')))]"
+    },
+    "huntingQueryObject3": {
+      "huntingQueryVersion3": "1.0.0",
+      "_huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd",
+      "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('af55d5b0-6b4a-4874-8299-9d845bf7c1fd')))]"
+    },
+    "huntingQueryObject4": {
+      "huntingQueryVersion4": "1.0.1",
+      "_huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad",
+      "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2a21303e-be48-404f-a6f6-883a6acfe5ad')))]"
+    },
+    "huntingQueryObject5": {
+      "huntingQueryVersion5": "1.0.1",
+      "_huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38",
+      "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38')))]"
+    },
+    "huntingQueryObject6": {
+      "huntingQueryVersion6": "1.0.1",
+      "_huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69",
+      "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e0944dec-3c92-4b2d-8e81-a950afeaba69')))]"
+    },
+    "huntingQueryObject7": {
+      "huntingQueryVersion7": "1.0.1",
+      "_huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893",
+      "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9670ac84-e035-47f5-8eb5-9d863a8a7893')))]"
+    },
+    "huntingQueryObject8": {
+      "huntingQueryVersion8": "1.0.1",
+      "_huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8",
+      "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('137tyi7c-7225-434b-8bfc-fea28v95ebd8')))]"
+    },
     "uiConfigId1": "AzureSql",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "AzureSql",
     "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
     "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
-    "dataConnectorVersion1": "1.0.0"
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+    "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Workbook with template",
-        "displayName": "Azure SQL Database solution for sentinel workbook template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Workbook-AzureSQLSecurityWorkbook Workbook with template version 2.0.2",
+        "description": "Workbook-AzureSQLSecurity Workbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -248,47 +255,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 1 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId1')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -306,10 +306,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -320,7 +320,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -330,43 +329,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -374,13 +374,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 1",
-                "parentId": "[variables('analyticRuleId1')]",
-                "contentId": "[variables('_analyticRulecontentId1')]",
+                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion1')]",
+                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -399,47 +399,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 2 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Credential errors stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+        "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+        "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion2')]",
+          "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId2')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -457,10 +450,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -471,7 +464,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -481,43 +473,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -525,13 +518,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 2",
-                "parentId": "[variables('analyticRuleId2')]",
-                "contentId": "[variables('_analyticRulecontentId2')]",
+                "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+                "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion2')]",
+                "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -550,47 +543,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 3 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Firewall errors stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+        "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+        "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion3')]",
+          "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId3')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -608,10 +594,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -622,7 +608,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -632,43 +617,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -676,13 +662,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 3",
-                "parentId": "[variables('analyticRuleId3')]",
-                "contentId": "[variables('_analyticRulecontentId3')]",
+                "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+                "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion3')]",
+                "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -701,47 +687,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName4')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 4 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Syntax errors stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+        "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+        "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion4')]",
+          "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId4')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -759,10 +738,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -773,7 +752,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -783,43 +761,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -827,13 +806,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 4",
-                "parentId": "[variables('analyticRuleId4')]",
-                "contentId": "[variables('_analyticRulecontentId4')]",
+                "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+                "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion4')]",
+                "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -852,47 +831,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName5')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 5 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Drop attempts stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+        "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+        "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId5')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -910,10 +882,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -924,7 +896,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -934,43 +905,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -978,13 +950,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 5",
-                "parentId": "[variables('analyticRuleId5')]",
-                "contentId": "[variables('_analyticRulecontentId5')]",
+                "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+                "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion5')]",
+                "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1003,47 +975,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName6')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 6 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Execution attempts stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+        "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+        "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId6')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1061,10 +1026,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -1075,7 +1040,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -1085,43 +1049,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -1129,13 +1094,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 6",
-                "parentId": "[variables('analyticRuleId6')]",
-                "contentId": "[variables('_analyticRulecontentId6')]",
+                "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+                "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion6')]",
+                "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1154,47 +1119,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName7')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 7 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Firewall rule manipulation attempts stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+        "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+        "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId7')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1212,10 +1170,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -1226,7 +1184,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -1236,43 +1193,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -1280,13 +1238,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 7",
-                "parentId": "[variables('analyticRuleId7')]",
-                "contentId": "[variables('_analyticRulecontentId7')]",
+                "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+                "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion7')]",
+                "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1305,47 +1263,40 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName8')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 8 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "OLE object manipulation attempts stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+        "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+        "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId8')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1363,10 +1314,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -1377,7 +1328,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -1387,43 +1337,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -1431,13 +1382,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 8",
-                "parentId": "[variables('analyticRuleId8')]",
-                "contentId": "[variables('_analyticRulecontentId8')]",
+                "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+                "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion8')]",
+                "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1456,51 +1407,44 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName9')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 9 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Outgoing connection attempts stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+        "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+        "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId9')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).",
+                "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).",
                 "displayName": "Affected rows stateful anomaly on database",
                 "enabled": false,
                 "query": "let volumeThresholdZ = 3.0;                     // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ;        // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500;             // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h;                       // The size of the recent detection window for detecting anomalies.  \nlet trainingWindow = detectionWindow + 14d;     // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'AffectedRows';           // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n    AzureDiagnostics\n    | where TimeGenerated >= ago(trainingWindow)\n    | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n    | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n              ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n              IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n              ResponseRows = response_rows_d, Statement = statement_s\n    | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n    | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n                                           (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n    | where WindowType in ('detection', 'training'));\nlet trainingSet =\n    processedData\n    | where WindowType == 'training'\n    | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n                P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n      by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n         QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n          IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore,ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n",
@@ -1514,10 +1458,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -1530,7 +1474,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -1540,43 +1483,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -1584,13 +1528,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 9",
-                "parentId": "[variables('analyticRuleId9')]",
-                "contentId": "[variables('_analyticRulecontentId9')]",
+                "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+                "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion9')]",
+                "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1609,51 +1553,44 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName10')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Analytics Rule 10 with template",
-        "displayName": "Azure SQL Database solution for sentinel AR template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Affected rows stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+        "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+        "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+        "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion10')]",
+          "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId10')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).",
+                "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).",
                 "displayName": "Response rows stateful anomaly on database",
                 "enabled": false,
                 "query": "let volumeThresholdZ = 3.0;                     // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ;        // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500;             // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h;                       // The size of the recent detection window for detecting anomalies.  \nlet trainingWindow = detectionWindow + 14d;     // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'ResponseRows';           // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n    AzureDiagnostics\n    | where TimeGenerated >= ago(trainingWindow)\n    | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n    | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n              ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n              IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n              ResponseRows = response_rows_d, Statement = statement_s\n    | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n    | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n                                           (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n    | where WindowType in ('detection', 'training'));\nlet trainingSet =\n    processedData\n    | where WindowType == 'training'\n    | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n                P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n      by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n         QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n          IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore, ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n",
@@ -1667,10 +1604,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureSql",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureSql"
                   }
                 ],
                 "tactics": [
@@ -1682,7 +1619,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -1692,43 +1628,44 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "ClientIp"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
                         "columnName": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "ApplicationName"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
                         "identifier": "ResourceId",
                         "columnName": "ResourceId"
                       }
-                    ]
+                    ],
+                    "entityType": "AzureResource"
                   }
                 ]
               }
@@ -1736,13 +1673,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Analytics Rule 10",
-                "parentId": "[variables('analyticRuleId10')]",
-                "contentId": "[variables('_analyticRulecontentId10')]",
+                "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+                "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion10')]",
+                "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1761,46 +1698,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 1 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Response rows stateful anomaly on database",
+        "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+        "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+        "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion1')]",
+          "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_1",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1828,13 +1758,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 1",
-                "parentId": "[variables('huntingQueryId1')]",
-                "contentId": "[variables('_huntingQuerycontentId1')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+                "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion1')]",
+                "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1853,53 +1783,46 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 2 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Anomalous Query Execution Time",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion2')]",
+          "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_2",
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
                 "displayName": "Boolean Blind SQL Injection",
                 "category": "Hunting Queries",
-                "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n    AzureDiagnostics\n    | where TimeGenerated > ago(timeRange)\n    | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n    | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n    ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n    IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n    ResponseRows = response_rows_d, Statement = statement_s,\n    Error = case( additional_information_s has 'error_code', toint(extract(\"<error_code>([0-9.]+)\", 1, additional_information_s))\n                      , additional_information_s has 'failure_reason', toint(extract(\"<failure_reason>Err ([0-9.]+)\", 1, additional_information_s))\n                      , 0),\n    State = case( additional_information_s has 'error_state', toint(extract(\"<error_state>([0-9.]+)\", 1, additional_information_s))\n                      , additional_information_s has 'failure_reason', toint(extract(\"<failure_reason>Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n                      , 0),\n    AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n",
+                "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n    AzureDiagnostics\n    | where TimeGenerated > ago(timeRange)\n    | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n    | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n    ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n    IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n    ResponseRows = response_rows_d, Statement = statement_s,\n    Error = case( additional_information_s has 'error_code', toint(extract(\"<error_code>([0-9.]+)\", 1, additional_information_s))\n                      , additional_information_s has 'failure_reason', toint(extract(\"<failure_reason>Err ([0-9.]+)\", 1, additional_information_s))\n                      , 0),\n    State = case( additional_information_s has 'error_state', toint(extract(\"<error_state>([0-9.]+)\", 1, additional_information_s))\n                      , additional_information_s has 'failure_reason', toint(extract(\"<failure_reason>Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n                      , 0),\n    AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId, HostName\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n",
                 "version": 2,
                 "tags": [
                   {
@@ -1920,13 +1843,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 2",
-                "parentId": "[variables('huntingQueryId2')]",
-                "contentId": "[variables('_huntingQuerycontentId2')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+                "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion2')]",
+                "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -1945,46 +1868,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 3 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Boolean Blind SQL Injection",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion3')]",
+          "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_3",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2012,13 +1928,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 3",
-                "parentId": "[variables('huntingQueryId3')]",
-                "contentId": "[variables('_huntingQuerycontentId3')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+                "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion3')]",
+                "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2037,46 +1953,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName4')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 4 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Anomalous Query Execution Time",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+        "version": "1.0.0"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion4')]",
+          "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_4",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2104,13 +2013,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 4",
-                "parentId": "[variables('huntingQueryId4')]",
-                "contentId": "[variables('_huntingQuerycontentId4')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+                "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion4')]",
+                "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2129,46 +2038,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName5')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 5 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Prevalence Based SQL Query Size Anomaly",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion5')]",
+          "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_5",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2196,13 +2098,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 5",
-                "parentId": "[variables('huntingQueryId5')]",
-                "contentId": "[variables('_huntingQuerycontentId5')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+                "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion5')]",
+                "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2221,46 +2123,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName6')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 6 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Suspicious SQL Stored Procedures",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion6')]",
+          "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_6",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2288,13 +2183,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 6",
-                "parentId": "[variables('huntingQueryId6')]",
-                "contentId": "[variables('_huntingQuerycontentId6')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+                "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion6')]",
+                "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2313,46 +2208,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName7')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 7 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Time Based SQL Query Size Anomaly",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion7')]",
+          "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_7",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2380,13 +2268,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 7",
-                "parentId": "[variables('huntingQueryId7')]",
-                "contentId": "[variables('_huntingQuerycontentId7')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+                "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion7')]",
+                "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2405,46 +2293,39 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName8')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel Hunting Query 8 with template",
-        "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Affected rows stateful anomaly on database - hunting query",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2",
+        "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion8')]",
+          "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_8",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2472,13 +2353,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
               "properties": {
                 "description": "Azure SQL Database solution for sentinel Hunting Query 8",
-                "parentId": "[variables('huntingQueryId8')]",
-                "contentId": "[variables('_huntingQuerycontentId8')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+                "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
                 "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion8')]",
+                "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure SQL Database solution for sentinel",
@@ -2497,37 +2378,30 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Response rows stateful anomaly on database - hunting query",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+        "version": "1.0.1"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
-      "properties": {
-        "description": "Azure SQL Database solution for sentinel data connector with template",
-        "displayName": "Azure SQL Database solution for sentinel template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Azure SQL Database solution for sentinel data connector with template version 2.0.2",
+        "description": "Azure SQL Database solution for sentinel data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -2692,7 +2566,7 @@
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
+              "apiVersion": "2023-04-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
                 "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -2717,12 +2591,23 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "Azure SQL Databases",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "apiVersion": "2023-04-01-preview",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
       "dependsOn": [
         "[variables('_dataConnectorId1')]"
@@ -2907,13 +2792,20 @@
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.2",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "Azure SQL Database solution for sentinel",
+        "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://azure.microsoft.com/products/azure-sql/\">Azure SQL Database</a> solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal\">Azure Monitor Resource Diagnostics </a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 8</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzureSQL.svg\"width=\"75px\"height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -2941,93 +2833,93 @@
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId1')]",
-              "version": "[variables('analyticRuleVersion1')]"
+              "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+              "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId2')]",
-              "version": "[variables('analyticRuleVersion2')]"
+              "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+              "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId3')]",
-              "version": "[variables('analyticRuleVersion3')]"
+              "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId4')]",
-              "version": "[variables('analyticRuleVersion4')]"
+              "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId5')]",
-              "version": "[variables('analyticRuleVersion5')]"
+              "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId6')]",
-              "version": "[variables('analyticRuleVersion6')]"
+              "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId7')]",
-              "version": "[variables('analyticRuleVersion7')]"
+              "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+              "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId8')]",
-              "version": "[variables('analyticRuleVersion8')]"
+              "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+              "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId9')]",
-              "version": "[variables('analyticRuleVersion9')]"
+              "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+              "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId10')]",
-              "version": "[variables('analyticRuleVersion10')]"
+              "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+              "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId1')]",
-              "version": "[variables('huntingQueryVersion1')]"
+              "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+              "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId2')]",
-              "version": "[variables('huntingQueryVersion2')]"
+              "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+              "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId3')]",
-              "version": "[variables('huntingQueryVersion3')]"
+              "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+              "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId4')]",
-              "version": "[variables('huntingQueryVersion4')]"
+              "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+              "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId5')]",
-              "version": "[variables('huntingQueryVersion5')]"
+              "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+              "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId6')]",
-              "version": "[variables('huntingQueryVersion6')]"
+              "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+              "version": "[variables('huntingQueryObject6').huntingQueryVersion6]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId7')]",
-              "version": "[variables('huntingQueryVersion7')]"
+              "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+              "version": "[variables('huntingQueryObject7').huntingQueryVersion7]"
             },
             {
               "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId8')]",
-              "version": "[variables('huntingQueryVersion8')]"
+              "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+              "version": "[variables('huntingQueryObject8').huntingQueryVersion8]"
             },
             {
               "kind": "DataConnector",
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json
new file mode 100644
index 00000000000..f4f45342aa2
--- /dev/null
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json	
@@ -0,0 +1,32 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "Azure SQL Database Workbook",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}
diff --git a/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md
new file mode 100644
index 00000000000..44c537020ef
--- /dev/null
+++ b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md	
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                       |
+|-------------|--------------------------------|--------------------------------------------------------------------------|   
+| 3.0.0       | 25-10-2024                     | Updated description of CreateUi and **Analytic Rule**					  |
\ No newline at end of file
diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py b/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py
index 1da5bc69269..d92c0914b64 100644
--- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py	
+++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py	
@@ -354,6 +354,7 @@ def get_alerts_details(self, company_name, company_guid):
             next_link = response.get("links").get("next")
             alerts_data = []
             c_data = {}
+            query_parameter["offset"] = 0
             while next_link:
                 query_parameter["offset"] += query_parameter.get("limit")
                 c_data["next1"] = self.get_bitsight_data(url, query_parameter)
diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip
index 90f55d30dbc..e471b0a9431 100644
Binary files a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip and b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip differ
diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py b/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py
index baa87858f4f..5ed1f7b9f70 100644
--- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py	
+++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py	
@@ -72,8 +72,8 @@ def generate_auth_token(self):
             user_and_pass = base64.b64encode(api.encode()).decode("ascii")
             headers = {
                 "Accept": "application/json",
-                "X-BITSIGHT-CONNECTOR-NAME-VERSION": "BitSight Security Performance Management for Microsoft Sentinel Data Connector 1.0.0",
                 "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel",
+                "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2"
             }
             headers["Authorization"] = "Basic %s" % user_and_pass
             self.headers = headers
diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json b/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json
index 87b83635bc0..8c33eec6a01 100644
--- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json	
+++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json	
@@ -40,7 +40,7 @@
             "type": "string",
             "defaultValue": "ALL",
             "metadata": {
-                "description": "Please add valid company names separated by slash(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc."
+                "description": "Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc."
             }
         },
         "WorkspaceID": {
@@ -59,51 +59,99 @@
         },
         "Portfolio_Companies_Table_Name":{
             "type": "string",
-            "defaultValue": "Portfolio_Companies"
+            "defaultValue": "Portfolio_Companies",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Alerts_Table_Name":{
             "type": "string",
-            "defaultValue": "Alerts_data"
+            "defaultValue": "Alerts_data",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
         "Breaches_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightBreaches_data"
+            "defaultValue": "BitsightBreaches_data",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Company_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightCompany_details"
+            "defaultValue": "BitsightCompany_details",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Company_Rating_Details_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightCompany_rating_details"
+            "defaultValue": "BitsightCompany_rating_details",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Diligence_Historical_Statistics_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightDiligence_historical_statistics"
+            "defaultValue": "BitsightDiligence_historical_statistics",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Diligence_Statistics_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightDiligence_statistics"
+            "defaultValue": "BitsightDiligence_statistics",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Findings_Summary_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightFindings_summary"
+            "defaultValue": "BitsightFindings_summary",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Findings_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightFindings_data"
+            "defaultValue": "BitsightFindings_data",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Graph_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightGraph_data"
+            "defaultValue": "BitsightGraph_data",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Industrial_Statistics_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightIndustrial_statistics"
+            "defaultValue": "BitsightIndustrial_statistics",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
 		"Observation_Statistics_Table_Name":{
             "type": "string",
-            "defaultValue": "BitsightObservation_statistics"
+            "defaultValue": "BitsightObservation_statistics",
+            "minLength": 1,
+            "metadata": {
+                "description": "Please do not keep this field as empty else you will get validation error"
+            }
         },
         "LogLevel":{
             "type": "string",
@@ -128,7 +176,7 @@
             "type": "string",
             "defaultValue": "0 */30 *  * * *",
             "metadata": {
-                "description": "Please enter a valid Quartz cron-expression. (Example: 0 */30 *  * * *)"
+                "description": "Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *)"
             }
         },
         "AppInsightsWorkspaceResourceID": {
@@ -186,7 +234,8 @@
                         }
                     },
                     "keySource": "Microsoft.Storage"
-                }
+                },
+                "minimumTlsVersion": "TLS1_2"
             }
         },
         {
diff --git a/Solutions/Bitglass/ReleaseNotes.md b/Solutions/Bitglass/ReleaseNotes.md
index 045a358b890..a9fd322af45 100644
--- a/Solutions/Bitglass/ReleaseNotes.md
+++ b/Solutions/Bitglass/ReleaseNotes.md
@@ -1,3 +1,3 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0       | 28-08-2024                     | Updated the python runtime version to **3.11** |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                       |
+|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.0       | 21-10-2024                     | Updated the python runtime version to **3.11** and updated functional URL|
diff --git a/Solutions/CTERA/Package/3.0.0.zip b/Solutions/CTERA/Package/3.0.0.zip
index e5a35bf5aa7..f0721dfac20 100644
Binary files a/Solutions/CTERA/Package/3.0.0.zip and b/Solutions/CTERA/Package/3.0.0.zip differ
diff --git a/Solutions/CTERA/Package/mainTemplate.json b/Solutions/CTERA/Package/mainTemplate.json
index 8276ab25f23..f0b0178e978 100644
--- a/Solutions/CTERA/Package/mainTemplate.json
+++ b/Solutions/CTERA/Package/mainTemplate.json
@@ -42,7 +42,7 @@
     "_email": "[variables('email')]",
     "_solutionName": "CTERA",
     "_solutionVersion": "3.0.0",
-    "solutionId": "1password1617200969773.azure-sentinel-solution-1password",
+    "solutionId": "cteranetworksltd1651947437632.microsoft-sentinel-solution-ctera",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "CTERA",
     "_uiConfigId1": "[variables('uiConfigId1')]",
diff --git a/Solutions/CTERA/SolutionMetadata.json b/Solutions/CTERA/SolutionMetadata.json
index 7c48094a0b4..2d6620abeee 100644
--- a/Solutions/CTERA/SolutionMetadata.json
+++ b/Solutions/CTERA/SolutionMetadata.json
@@ -1,5 +1,5 @@
 {
-  "publisherId": "CTERA Networks Ltd",
+  "publisherId": "cteranetworksltd1651947437632",
   "offerId": "microsoft-sentinel-solution-ctera",
   "firstPublishDate": "2024-07-28",
   "providers": ["CTERA Networks Ltd"],
diff --git a/Solutions/CTM360/Package/3.0.2.zip b/Solutions/CTM360/Package/3.0.2.zip
index f3b9a1ae09b..e13fc77161e 100644
Binary files a/Solutions/CTM360/Package/3.0.2.zip and b/Solutions/CTM360/Package/3.0.2.zip differ
diff --git a/Solutions/CTM360/Package/mainTemplate.json b/Solutions/CTM360/Package/mainTemplate.json
index 0214b342b28..7dfcf0679ee 100644
--- a/Solutions/CTM360/Package/mainTemplate.json
+++ b/Solutions/CTM360/Package/mainTemplate.json
@@ -1046,13 +1046,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1060,10 +1060,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1167,13 +1167,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1181,10 +1181,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": true,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1288,13 +1288,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1302,10 +1302,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1409,13 +1409,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1423,10 +1423,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1525,13 +1525,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1539,10 +1539,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1641,13 +1641,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1655,10 +1655,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1760,31 +1760,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1792,10 +1792,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -1895,31 +1895,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -1927,10 +1927,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2029,31 +2029,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2061,10 +2061,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2163,31 +2163,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2195,10 +2195,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2299,13 +2299,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2313,10 +2313,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2415,13 +2415,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2429,10 +2429,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2531,31 +2531,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2566,10 +2566,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2671,14 +2671,14 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
+                        "identifier": "Url",
                         "suppressionDuration": "5h",
-                        "columnName": "subject_s",
-                        "identifier": "Url"
+                        "columnName": "subject_s"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2686,10 +2686,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2788,31 +2788,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2820,10 +2820,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -2923,31 +2923,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -2955,10 +2955,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3058,31 +3058,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3090,10 +3090,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3193,31 +3193,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3225,10 +3225,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3327,31 +3327,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3359,10 +3359,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3461,31 +3461,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3493,10 +3493,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3595,31 +3595,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3627,10 +3627,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3729,31 +3729,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3761,10 +3761,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3863,31 +3863,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -3895,10 +3895,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -3998,10 +3998,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4098,13 +4098,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4112,10 +4112,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4212,31 +4212,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4244,10 +4244,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4344,31 +4344,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4376,10 +4376,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4486,10 +4486,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4588,31 +4588,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4620,10 +4620,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4726,13 +4726,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4740,10 +4740,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4846,13 +4846,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "subject_s"
+                        "columnName": "subject_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4860,10 +4860,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -4964,31 +4964,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -4996,10 +4996,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5103,31 +5103,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5135,10 +5135,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5242,31 +5242,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5274,10 +5274,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5381,31 +5381,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5413,10 +5413,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5520,31 +5520,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5555,10 +5555,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5662,31 +5662,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5694,11 +5694,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
-
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
@@ -5802,31 +5801,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "meta_resolved_ip_s"
+                        "columnName": "meta_resolved_ip_s",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "meta_host_s"
+                        "columnName": "meta_host_s",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "hackerview_link_s"
+                        "columnName": "hackerview_link_s",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ],
                 "eventGroupingSettings": {
@@ -5834,10 +5833,10 @@
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "matchingMethod": "AllEntities",
                     "enabled": false,
-                    "reopenClosedIncident": false,
                     "lookbackDuration": "PT5H",
-                    "matchingMethod": "AllEntities"
+                    "reopenClosedIncident": false
                   },
                   "createIncident": true
                 }
diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip
index 54e7ec2b8b8..5548f750bff 100644
Binary files a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip and b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip differ
diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json
index 5963f895e4a..ba25365a329 100644
--- a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json	
+++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json	
@@ -158,7 +158,7 @@
         },
         {
             "title": "",
-            "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+            "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
         },
         {
             "title": "",
diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json
index 1cc3e9d52ba..9a3760c3e34 100644
--- a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json	
+++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json	
@@ -275,7 +275,7 @@
                 "alwaysOn": true,
                 "reserved": true,
                 "siteConfig": {
-                    "linuxFxVersion": "python|3.8"
+                    "linuxFxVersion": "python|3.11"
                 }
             },
             "resources": [
diff --git a/Solutions/CofenseIntelligence/Package/3.0.0.zip b/Solutions/CofenseIntelligence/Package/3.0.0.zip
index 157bdb03d41..0b0bb9dd97a 100644
Binary files a/Solutions/CofenseIntelligence/Package/3.0.0.zip and b/Solutions/CofenseIntelligence/Package/3.0.0.zip differ
diff --git a/Solutions/CofenseIntelligence/Package/createUiDefinition.json b/Solutions/CofenseIntelligence/Package/createUiDefinition.json
index 8f5c0c9abcf..17565951197 100644
--- a/Solutions/CofenseIntelligence/Package/createUiDefinition.json
+++ b/Solutions/CofenseIntelligence/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CofenseTriage.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md)\r \n • _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CofenseTriage.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na.[Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb.[Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc.[Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/CofenseIntelligence/Package/mainTemplate.json b/Solutions/CofenseIntelligence/Package/mainTemplate.json
index 84d8c265e6a..f1e85c593d0 100644
--- a/Solutions/CofenseIntelligence/Package/mainTemplate.json
+++ b/Solutions/CofenseIntelligence/Package/mainTemplate.json
@@ -72,7 +72,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CofenseIntelligenceThreatIndicatorsWorkbook Workbook with template version 3.0.0",
+        "description": "CofenseIntelligenceThreatIndicators Workbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -90,7 +90,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\\n---\\n\\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| where ConfidenceScore != \\\"\\\"\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n    // latest data of cofense indicator to avoid duplicates\\r\\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n| where Tags != \\\"\\\"\\r\\n| parse Tags with * \\\"[\\\\\\\"threatID-\\\" threat_id \\\"\\\\\\\"]\\\"\\r\\n| extend threat_id = toreal(threat_id)\\r\\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\\r\\n// latest data of cofense indicator to avoid duplicates \\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend Ioc = case(ThreatType == \\\"File\\\", FileHashValue, \\r\\n                    ThreatType == \\\"URL\\\", Url,\\r\\n                       DomainName)\\r\\n| order by TimeGenerated desc\\r\\n| project [\\\"Threat ID\\\"]=threat_id, [\\\"Confidence Score\\\"]=ConfidenceScore, [\\\"Threat Type\\\"]=ThreatType, [\\\"IOC\\\"]=Ioc, Label=label_s, [\\\"Last Published\\\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\\\"First Published\\\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\\\"Threat Detail URL\\\"]=threatDetailURL_s, [\\\"Download Report (HTML)\\\"]=ReportDownload_HTML__s, [\\\"Download Report (PDF)\\\"]=ReportDownload_PDF__s, [\\\"Executive Summary\\\"]=executiveSummary_s\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Intelligence Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Confidence Score\",\"formatter\":1},{\"columnMatch\":\"Threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Download Report (HTML)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download HTML Report\"}},{\"columnMatch\":\"Download Report (PDF)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download PDF Report\"}},{\"columnMatch\":\"threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Report URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseIntelligenceThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\\n---\\n\\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| where ConfidenceScore != \\\"\\\"\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n    // latest data of cofense indicator to avoid duplicates\\r\\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n| where Tags != \\\"\\\"\\r\\n| parse Tags with * \\\"[\\\\\\\"threatID-\\\" threat_id \\\"\\\\\\\"]\\\"\\r\\n| extend threat_id = toreal(threat_id)\\r\\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\\r\\n// latest data of cofense indicator to avoid duplicates \\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend Ioc = case(ThreatType == \\\"File\\\", FileHashValue, \\r\\n                    ThreatType == \\\"URL\\\", Url,\\r\\n                       DomainName)\\r\\n| order by TimeGenerated desc\\r\\n| project [\\\"Threat ID\\\"]=threat_id, [\\\"Confidence Score\\\"]=ConfidenceScore, [\\\"Threat Type\\\"]=ThreatType, [\\\"IOC\\\"]=Ioc, Label=label_s, [\\\"Last Published\\\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\\\"First Published\\\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\\\"Threat Detail URL\\\"]=threatDetailURL_s, [\\\"Download Report (HTML)\\\"]=ReportDownload_HTML__s, [\\\"Download Report (PDF)\\\"]=ReportDownload_PDF__s, [\\\"Executive Summary\\\"]=executiveSummary_s\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Intelligence Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Confidence Score\",\"formatter\":1},{\"columnMatch\":\"Threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Download Report (HTML)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download HTML Report\"}},{\"columnMatch\":\"Download Report (PDF)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download PDF Report\"}},{\"columnMatch\":\"threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Report URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseIntelligenceThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -329,7 +329,7 @@
                       "title": "Option 2 - Manual Deployment of Azure Functions"
                     },
                     {
-                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
                     },
                     {
                       "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https://<your-cofense-instance-name>/)  \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**."
@@ -566,7 +566,7 @@
               "title": "Option 2 - Manual Deployment of Azure Functions"
             },
             {
-              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
             },
             {
               "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https://<your-cofense-instance-name>/)  \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**."
@@ -586,7 +586,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "CofenseIntelligence",
         "publisherDisplayName": "Cofense Support",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<p>a.<a href=\"https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n<p>b.<a href=\"https://azure.microsoft.com/products/functions/#overview\">Azure Functions</a></p>\n<p>c.<a href=\"https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator\">Microsoft Threat Intelligence Indicator API</a></p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<p>a.<a href=\"https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n<p>b.<a href=\"https://azure.microsoft.com/products/functions/#overview\">Azure Functions</a></p>\n<p>c.<a href=\"https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator\">Microsoft Threat Intelligence Indicator API</a></p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/CofenseIntelligence/Package/testParameters.json b/Solutions/CofenseIntelligence/Package/testParameters.json
new file mode 100644
index 00000000000..101581b42ca
--- /dev/null
+++ b/Solutions/CofenseIntelligence/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "CofenseIntelligenceThreatIndicators",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}
diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip
index d652d19a876..d2c0386b065 100644
Binary files a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip and b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip differ
diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json
index ec694cb28ce..46663bea0c5 100644
--- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json	
+++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json	
@@ -192,7 +192,7 @@
         },
         {
             "title": "",
-            "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+            "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
         },
         {
             "title": "",
diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md
index 085909527b7..51376430846 100644
--- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md	
+++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md	
@@ -169,7 +169,7 @@ Use the following step-by-step instructions to deploy the Cofense Threat Indicat
         2. Select Subscription: Choose the subscription to use.
         3. Select Create new Function App in Azure (Don't choose the Advanced option)
         4. Enter a globally unique name for the function app: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).
-        5. Select a runtime: Choose Python 3.8 or above.
+        5. Select a runtime: Choose Python 3.11
         6. Select a location for new resources. For better performance and lower costs choose the same region where Microsoft Sentinel is located.
   6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.
   7. Go to Azure Portal for the Function App configuration.
diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json
index 3433150906f..ac07e804e9f 100644
--- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json	
+++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json	
@@ -278,7 +278,7 @@
                 "alwaysOn": true,
                 "reserved": true,
                 "siteConfig": {
-                    "linuxFxVersion": "python|3.8"
+                    "linuxFxVersion": "python|3.11"
                 }
             },
             "resources": [
diff --git a/Solutions/CofenseTriage/Package/3.0.0.zip b/Solutions/CofenseTriage/Package/3.0.0.zip
index 148e6d36fd0..b9a02a11dcc 100644
Binary files a/Solutions/CofenseTriage/Package/3.0.0.zip and b/Solutions/CofenseTriage/Package/3.0.0.zip differ
diff --git a/Solutions/CofenseTriage/Package/mainTemplate.json b/Solutions/CofenseTriage/Package/mainTemplate.json
index 6ccebe09aaf..47fffb5a090 100644
--- a/Solutions/CofenseTriage/Package/mainTemplate.json
+++ b/Solutions/CofenseTriage/Package/mainTemplate.json
@@ -363,7 +363,7 @@
                       "title": "Option 2 - Manual Deployment of Azure Functions"
                     },
                     {
-                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
                     },
                     {
                       "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense URL (https://<your-cofense-instance-name>/)  \n\t\tCofense Client ID \n\t\tCofense Client Secret \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tThreat Level \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tThrottle Limit for Non-Cofense Indicators (optional) \n\t\tLogLevel (optional) \n\t\tReports Table Name \n\t\tSchedule \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
@@ -634,7 +634,7 @@
               "title": "Option 2 - Manual Deployment of Azure Functions"
             },
             {
-              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
             },
             {
               "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense URL (https://<your-cofense-instance-name>/)  \n\t\tCofense Client ID \n\t\tCofense Client Secret \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tThreat Level \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tThrottle Limit for Non-Cofense Indicators (optional) \n\t\tLogLevel (optional) \n\t\tReports Table Name \n\t\tSchedule \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip
index b9769c4be2d..ce530240be5 100644
Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip differ
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json
index 83047bb692c..98e96bc04b8 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json	
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json	
@@ -111,7 +111,7 @@
 		},
 		{
 			"title": "",
-			"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+			"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
 		},
 		{
 			"title": "",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json
index 95790332481..3960642d132 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json	
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json	
@@ -161,7 +161,7 @@
                 "alwaysOn": true,
                 "reserved": true,
                 "siteConfig": {
-                    "linuxFxVersion": "python|3.8"
+                    "linuxFxVersion": "python|3.11"
                 }
             },
             "resources": [
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip
new file mode 100644
index 00000000000..d32e8ab47c7
Binary files /dev/null and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip differ
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json
index 6b8a7c9ff7b..eff61427415 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json	
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -70,6 +70,27 @@
               "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
+          {
+            "name": "dataconnectors3-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors4-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors5-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
index 6dbaba8a153..e2dfe2ef379 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json	
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json	
@@ -41,7 +41,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "CrowdStrike Falcon Endpoint Protection",
-    "_solutionVersion": "3.0.8",
+    "_solutionVersion": "3.0.9",
     "solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "CrowdstrikeReplicator",
@@ -169,7 +169,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
+        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -299,7 +299,7 @@
                       "title": "Option 2 - Manual Deployment of Azure Functions"
                     },
                     {
-                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+                      "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
                     },
                     {
                       "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
@@ -500,7 +500,7 @@
               "title": "Option 2 - Manual Deployment of Azure Functions"
             },
             {
-              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
+              "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
             },
             {
               "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
@@ -520,7 +520,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
+        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -869,7 +869,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
+        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion3')]",
@@ -1253,7 +1253,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
+        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion4')]",
@@ -1586,7 +1586,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
+        "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion5')]",
@@ -1917,7 +1917,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.8",
+        "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2049,7 +2049,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdstrikeReplicator Data Parser with template version 3.0.8",
+        "description": "CrowdstrikeReplicator Data Parser with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -2181,7 +2181,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.8",
+        "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -2313,7 +2313,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.8",
+        "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -2401,7 +2401,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.8",
+        "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -2429,22 +2429,22 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "CrowdStrikeFalconEndpointProtection",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CrowdStrikeFalconEndpointProtection"
                   },
                   {
-                    "connectorId": "CrowdStrikeFalconEndpointProtectionAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CrowdStrikeFalconEndpointProtectionAma"
                   },
                   {
-                    "connectorId": "CefAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CefAma"
                   }
                 ],
                 "entityMappings": [
@@ -2542,7 +2542,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.8",
+        "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2570,22 +2570,22 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "CrowdStrikeFalconEndpointProtection",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CrowdStrikeFalconEndpointProtection"
                   },
                   {
-                    "connectorId": "CrowdStrikeFalconEndpointProtectionAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CrowdStrikeFalconEndpointProtectionAma"
                   },
                   {
-                    "connectorId": "CefAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CefAma"
                   }
                 ],
                 "entityMappings": [
@@ -2683,7 +2683,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CrowdStrike_Base Playbook with template version 3.0.8",
+        "description": "CrowdStrike_Base Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -3060,7 +3060,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.8",
+        "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -4515,7 +4515,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Crowdstrike-ContainHost Playbook with template version 3.0.8",
+        "description": "Crowdstrike-ContainHost Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -5630,12 +5630,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.8",
+        "version": "3.0.9",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "CrowdStrike Falcon Endpoint Protection",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.crowdstrike.com/products/\">CrowdStrike Falcon Endpoint Protection</a> solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.</p>\n</li>\n</ol>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.</p>\n<p><strong>Data Connectors:</strong> 5, <strong>Parsers:</strong> 3, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 2, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.crowdstrike.com/products/\">CrowdStrike Falcon Endpoint Protection</a> solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connectors:</strong> 5, <strong>Parsers:</strong> 3, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 2, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md
index 52f0b05f19c..de279d00023 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md	
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                             |
 |-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.0.9       | 20-09-2024                     | Updated the python runtime version to 3.11                                     |
 | 3.0.8 	  | 10-07-2024 					   | Deprecated **Data Connector** 										|
 | 3.0.7       | 20-06-2024                     | Shortlinks updated for **Data Connector** CrowdStrike Falcon Indicators of Compromise                   |
 | 3.0.6       | 06-06-2024                     | Renamed **Data Connector** *CrowdStrike Falcon Indicators of Compromise* to *CrowdStrike Falcon Adversary Intelligence* |
diff --git a/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json b/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json
new file mode 100644
index 00000000000..fa05bc9d046
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json	
@@ -0,0 +1,80 @@
+{
+    "id": "ESETProtectPlatform",
+    "title": "ESET Protect Platform",
+    "publisher": "ESET",
+    "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.",
+    "graphQueries": [{"metricName": "Total data received", "legend": "IntegrationTable_CL", "baseQuery": "IntegrationTable_CL"}],
+    "sampleQueries": [
+        {"description": "All table records sorted by time", "query": "IntegrationTable_CL\n| sort by TimeGenerated desc"}
+    ],
+    "dataTypes": [
+        {
+            "name": "IntegrationTable_CL",
+            "lastDataReceivedQuery": "IntegrationTable_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "IntegrationTable_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {"status": 1, "isPreview": false},
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+			{
+				"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+				"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+				"providerDisplayName": "Keys",
+				"scope": "Workspace",
+				"requiredPermissions": {
+					"action": true
+				}
+			}
+        ],
+        "customs": [
+            {
+                "name": "Microsoft.Web/sites permissions",
+                "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+            },
+            {
+                "name": "Permission to register an application in Microsoft Entra ID",
+                "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required."
+            },
+            {
+                "name": "Permission to assign a role to the registered application",
+                "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required."
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)."
+        },
+        {
+            "title": "Step 1 -  Create an API user",
+            "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**."
+        },
+        {
+            "title": "Step 2 -  Create a registered application",
+            "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)"
+        },
+        {
+            "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template",
+            "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**."
+        }
+    ]
+}
diff --git a/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip b/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip
new file mode 100644
index 00000000000..dbcc365aed0
Binary files /dev/null and b/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip differ
diff --git a/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json b/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json
new file mode 100644
index 00000000000..f39e2ca2a64
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json	
@@ -0,0 +1,503 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "workspaceName": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the Log Analytics workspace associated with Microsoft Sentinel."
+            }
+        },
+        "tableName": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the custom Log Analytics table to be created."
+            },
+            "defaultValue": "IntegrationTable_CL"
+        },
+        "dataCollectionEndpointName": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the Data Collection Endpoint to be created."
+            },
+            "defaultValue": "integrationDCE"
+        },
+        "dataCollectionRuleName": {
+			"type": "string",
+			"metadata": {
+                "description": "The name of the Data Collection Rule to be created."
+            },
+            "defaultValue": "integrationDCR"
+        },
+        "applicationName": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the Azure Function App to be created."
+            }
+        },
+        "applicationRunInterval": {
+            "type": "int",
+            "defaultValue": 5,
+            "allowedValues": [
+                5,
+                10,
+                15
+            ],
+            "metadata": {
+                "description": "The interval in minutes of sending detections to Microsoft Sentinel e.g. every 5 minutes."
+            }
+        },
+        "objectID": {
+            "type": "string",
+			"metadata": {
+                "description": "The Object ID of the Service Principal associated with the registered application in Microsoft Entra ID."
+            }
+        },
+        "azureClientID": {
+			"type": "string",
+			"metadata": {
+                "description": "The Azure Client ID of the registered application in Microsoft Entra ID."
+            }
+        },
+        "azureClientSecret": {
+            "type": "secureString",
+			"metadata": {
+                "description": "The Azure Client Secret of the registered application in Microsoft Entra ID."
+            }
+        },
+        "azureTenantID": {
+            "type": "string",
+            "metadata": {
+                "description": "The Azure Tenant ID of the registered application in Microsoft Entra ID."
+            }
+        },
+        "login": {
+            "type": "string",
+            "metadata": {
+                "description": "The ESET Connect API user account login."
+            }
+        },
+        "password": {
+            "type": "secureString",
+            "metadata": {
+                "description": "The ESET Connect API user account password."
+            }
+        },
+        "instanceRegion": {
+            "type": "string",
+            "defaultValue": "eu",
+            "allowedValues": [
+                "eu",
+                "us",
+                "jpn",
+                "ca",
+                "de"
+            ],
+            "metadata": {
+                "description": "The region where your ESET Protect/Inspect/ECOS instance is running."
+            }
+        },
+        "keyBase": {
+            "type": "string",
+            "defaultValue": "[newGuid()]",
+            "metadata": {
+                "description": "Do not change this value. Base string for the key to encrypt/decrypt token data."
+            }
+        }
+    },
+	"variables": {
+        "tableNameCL": "[if(endsWith(parameters('tableName'), '_CL'), parameters('tableName'), concat(parameters('tableName'), '_CL'))]",
+		"customTableName": "[concat('Custom-', variables('tableNameCL'))]",
+		"applicationName": "[concat(parameters('applicationName'), uniquestring(resourceGroup().id))]",
+        "dataCollectionEndpointId":"[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('dataCollectionEndpointName'))]",
+		"dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]",
+        "location": "[resourceGroup().location]",
+        "hostingPlanName": "[variables('applicationName')]",
+        "contentShare": "[variables('applicationName')]",
+        "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'azfunction')]",
+		"workspaces_integration_log_analytics_workspace_externalid":"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
+        "keyBase64": "[base64(replace(parameters('keyBase'), '-', ''))]"
+
+	},
+    "resources": [
+        {
+            "type": "Microsoft.Insights/dataCollectionEndpoints",
+            "name": "[parameters('dataCollectionEndpointName')]",
+            "location": "[variables('location')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), variables('tableNameCL'))]"
+            ],
+            "apiVersion": "2021-04-01",
+            "properties": {
+                "networkAcls": {
+                "publicNetworkAccess": "Enabled"
+                }
+            }
+        }, 
+        {
+            "type": "Microsoft.OperationalInsights/workspaces/tables",
+            "apiVersion": "2022-10-01",
+            "name": "[concat(parameters('workspaceName'), '/', variables('tableNameCL'))]",
+            "location": "[variables('location')]",
+            "properties": {
+                "schema": {
+                    "name": "[variables('tableNameCL')]",
+                    "columns": [
+                        {
+                            "name": "TimeGenerated",
+                            "type": "datetime"
+                        },
+                        {
+                            "name": "typeName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "objectName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "networkCommunication",
+                            "type": "dynamic"
+                        },
+                        {
+                            "name": "customUuid",
+                            "type": "string"
+                        },
+                        {
+                            "name": "objectTypeName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "occurTime",
+                            "type": "string"
+                        },
+                        {
+                            "name": "displayName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "responses",
+                            "type": "dynamic"
+                        },
+                        {
+                            "name": "objectHashSha1",
+                            "type": "string"
+                        },
+                        {
+                            "name": "severityLevel",
+                            "type": "string"
+                        },
+                        {
+                            "name": "category",
+                            "type": "string"
+                        },
+                        {
+                            "name": "objectUrl",
+                            "type": "string"
+                        },
+                        {
+                            "name": "context",
+                            "type": "dynamic"
+                        }
+                    ]
+                }
+            }
+        }, 
+        {
+            "type": "Microsoft.Insights/dataCollectionRules",
+            "apiVersion": "2023-03-11",
+            "name": "[parameters('dataCollectionRuleName')]",
+            "location": "[variables('location')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), variables('tableNameCL'))]",
+                "[variables('dataCollectionEndpointId')]"
+            ],
+            "properties": {
+                "dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]",
+                "streamDeclarations": {
+                    "[variables('customTableName')]": {
+                    "columns": [
+                            {
+                                "name": "TimeGenerated",
+                                "type": "datetime"
+                            },
+                            {
+                                "name": "typeName",
+                                "type": "string"
+                            },
+                            {
+                                "name": "objectName",
+                                "type": "string"
+                            },
+                            {
+                                "name": "networkCommunication",
+                                "type": "dynamic"
+                            },
+                            {
+                                "name": "customUuid",
+                                "type": "string"
+                            },
+                            {
+                                "name": "objectTypeName",
+                                "type": "string"
+                            },
+                            {
+                                "name": "occurTime",
+                                "type": "string"
+                            },
+                            {
+                                "name": "displayName",
+                                "type": "string"
+                            },
+                            {
+                                "name": "responses",
+                                "type": "dynamic"
+                            },
+                            {
+                                "name": "objectHashSha1",
+                                "type": "string"
+                            },
+                            {
+                                "name": "severityLevel",
+                                "type": "string"
+                            },
+                            {
+                                "name": "category",
+                                "type": "string"
+                            },
+                            {
+                                "name": "objectUrl",
+                                "type": "string"
+                            },
+                            {
+                                "name": "context",
+                                "type": "dynamic"
+                            }
+                        ]
+                    }
+                },
+                "dataSources": {},
+                "destinations": {
+                    "logAnalytics": [
+                        {
+                            "workspaceResourceId": "[variables('workspaces_integration_log_analytics_workspace_externalid')]",
+                            "name": "[parameters('workspaceName')]"
+                        }
+                    ]
+                },
+                "dataFlows": [
+                    {
+                        "streams": [
+                            "[variables('customTableName')]"
+                        ],
+                        "destinations": [
+                            "[parameters('workspaceName')]"
+                        ],
+                        "transformKql": "source",
+                        "outputStream": "[variables('customTableName')]"
+                    }
+                ]
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[guid(parameters('dataCollectionRuleName'), parameters('objectID'), 'Monitoring Metrics Publisher')]",
+            "scope": "[variables('dataCollectionRuleId')]",
+            "properties": {
+				"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]",
+				"principalId": "[parameters('objectID')]",
+				"principalType": "ServicePrincipal"
+			},
+            "dependsOn": ["[variables('dataCollectionRuleId')]"]
+        }, 
+        {
+            "apiVersion": "2022-03-01",
+            "name": "[variables('applicationName')]",
+            "type": "Microsoft.Web/sites",
+            "kind": "functionapp,linux",
+            "location": "[resourceGroup().location]",
+            "tags": {},
+            "dependsOn": [
+                "[concat('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]",
+                "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
+                "[variables('dataCollectionRuleId')]"
+
+            ],
+            "properties": {
+                "name": "[variables('applicationName')]",
+                "siteConfig": {
+                    "appSettings": [
+                        {
+                            "name": "FUNCTIONS_EXTENSION_VERSION",
+                            "value": "~4"
+                        },
+                        {
+                            "name": "FUNCTIONS_WORKER_RUNTIME",
+                            "value": "python"
+                        },
+                        {
+                            "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
+                            "value": "[reference(concat('microsoft.insights/components/', variables('applicationName')), '2015-05-01').ConnectionString]"
+                        },
+                        {
+                            "name": "AzureWebJobsStorage",
+                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value,';EndpointSuffix=','core.windows.net')]"
+                        },
+                        {
+                            "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
+                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value,';EndpointSuffix=','core.windows.net')]"
+                        },
+                        {
+                            "name": "WEBSITE_CONTENTSHARE",
+                            "value": "[toLower(variables('contentShare'))]"
+                        }, 
+                        {
+                            "name": "WEBSITE_RUN_FROM_PACKAGE",
+                            "value": "https://aka.ms/sentinel-EsetProtectionPlatform-FunctionApp"
+                        }, 
+                        {
+                            "name": "ENDPOINT_URI",
+                            "value": "[reference(variables('dataCollectionEndpointId'), '2021-04-01').logsIngestion.endpoint]"
+                        }, 
+                        {
+                            "name": "DCR_IMMUTABLEID",
+                            "value": "[reference(variables('dataCollectionRuleId'), '2023-03-11').immutableId]"
+                        }, 
+                        {
+                            "name": "STREAM_NAME",
+                            "value": "[variables('customTableName')]"
+                        }, 
+                        {
+                            "name": "AZURE_CLIENT_ID",
+                            "value": "[parameters('azureClientID')]"
+                        },
+                        {
+                            "name": "AZURE_CLIENT_SECRET",
+                            "value": "[parameters('azureClientSecret')]"
+                        }, 
+                        {
+                            "name": "AZURE_TENANT_ID",
+                            "value": "[parameters('azureTenantID')]"
+                        }, 
+                                                {
+                            "name": "PASSWORD_INTEGRATION",
+                            "value": "[parameters('password')]"
+                        },
+                        {
+                            "name": "USERNAME_INTEGRATION",
+                            "value": "[parameters('login')]"
+                        },
+                        {
+                            "name": "INTERVAL",
+                            "value": "[parameters('applicationRunInterval')]"
+                        },
+                        {
+                            "name": "PYTHONPATH",
+                            "value": "/home/site/wwwroot/.python_packages/lib/site-packages,/home/site/wwwroot"
+                        }, 
+                        {
+                            "name": "PYTHON_ISOLATE_WORKER_DEPENDENCIES",
+                            "value": "1"
+                        },
+                        {
+                            "name": "KEY_BASE64",
+                            "value": "[variables('keyBase64')]"
+                        },
+                        {
+
+                            "name": "INSTANCE_REGION",
+                            "value": "[parameters('instanceRegion')]"
+                        }
+                    ],
+                    "cors": {
+                        "allowedOrigins": [
+                            "https://portal.azure.com"
+                        ]
+                    },
+                    "use32BitWorkerProcess": false,
+                    "ftpsState": "FtpsOnly",
+                    "linuxFxVersion": "Python|3.11"
+                },
+                "clientAffinityEnabled": false,
+                "publicNetworkAccess": "Enabled",
+                "httpsOnly": true,
+                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
+            },
+            "resources": [
+                {
+                    "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
+                    "apiVersion": "2022-09-01",
+                    "name": "[concat(variables('applicationName'), '/scm')]",
+                    "properties": {
+                        "allow": false
+                    },
+                    "dependsOn": [
+                        "[resourceId('Microsoft.Web/Sites', variables('applicationName'))]"
+                    ]
+                },
+                {
+                    "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
+                    "apiVersion": "2022-09-01",
+                    "name": "[concat(variables('applicationName'), '/ftp')]",
+                    "properties": {
+                        "allow": false
+                    },
+                    "dependsOn": [
+                        "[resourceId('Microsoft.Web/Sites', variables('applicationName'))]"
+                    ]
+                }
+            ]
+        },
+        {
+            "apiVersion": "2022-03-01",
+            "name": "[variables('hostingPlanName')]",
+            "type": "Microsoft.Web/serverfarms",
+            "location": "[resourceGroup().location]",
+            "kind": "linux",
+            "tags": {},
+            "dependsOn": [],
+            "properties": {
+                "name": "[variables('hostingPlanName')]",
+                "workerSize": "0",
+                "workerSizeId": "0",
+                "numberOfWorkers": 1,
+                "reserved": true
+            },
+            "sku": {
+                "Tier": "Dynamic",
+                "Name": "Y1"
+            }
+        },
+        {
+            "apiVersion": "2020-02-02",
+            "name": "[variables('applicationName')]",
+            "type": "microsoft.insights/components",
+            "location": "westeurope",
+            "tags": {},
+            "dependsOn": [],
+            "properties": {
+                "ApplicationId": "[variables('applicationName')]",
+                "Request_Source": "IbizaWebAppExtensionCreate",
+                "Flow_Type": "Redfield",
+                "Application_Type": "web",
+                "WorkspaceResourceId": "[variables('workspaces_integration_log_analytics_workspace_externalid')]"
+            }
+        },
+        {
+            "apiVersion": "2022-05-01",
+            "type": "Microsoft.Storage/storageAccounts",
+            "name": "[variables('storageAccountName')]",
+            "location": "[resourceGroup().location]",
+            "tags": {},
+            "sku": {
+                "name": "Standard_LRS"
+            },
+            "properties": {
+                "supportsHttpsTrafficOnly": true,
+                "minimumTlsVersion": "TLS1_2",
+                "defaultToOAuthAuthentication": true
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/Solutions/ESET Protect Platform/Data Connectors/function_app.py b/Solutions/ESET Protect Platform/Data Connectors/function_app.py
new file mode 100644
index 00000000000..37b484f31cc
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/function_app.py	
@@ -0,0 +1,24 @@
+import logging
+import os
+
+import azure.functions as func
+
+app = func.FunctionApp()
+
+
+@app.timer_trigger(
+    schedule=f"0 */{os.getenv('INTERVAL', 5)} * * * *", arg_name="myTimer", run_on_startup=False, use_monitor=False
+)
+def timer_trigger(myTimer: func.TimerRequest) -> None:
+    if myTimer.past_due:
+        logging.info("The timer is past due!")
+
+    logging.info("MAIN execution")
+    try:
+        from integration.main import main
+
+        main()
+    except Exception as e:
+        logging.error(f"main error: {e}")
+
+    logging.info("Python timer trigger function executed.")
diff --git a/Solutions/ESET Protect Platform/Data Connectors/host.json b/Solutions/ESET Protect Platform/Data Connectors/host.json
new file mode 100644
index 00000000000..9df913614d9
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/host.json	
@@ -0,0 +1,15 @@
+{
+  "version": "2.0",
+  "logging": {
+    "applicationInsights": {
+      "samplingSettings": {
+        "isEnabled": true,
+        "excludedTypes": "Request"
+      }
+    }
+  },
+  "extensionBundle": {
+    "id": "Microsoft.Azure.Functions.ExtensionBundle",
+    "version": "[4.*, 5.0.0)"
+  }
+}
\ No newline at end of file
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/__init__.py b/Solutions/ESET Protect Platform/Data Connectors/integration/__init__.py
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py b/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py
new file mode 100644
index 00000000000..f08735288c7
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py	
@@ -0,0 +1,41 @@
+import logging
+
+
+class AuthenticationException(Exception):
+    def __init__(self, status: int, message: str) -> None:
+        self.status = status
+        self.message = message
+        self.s = f"AuthenticationException happend with status: {self.status}. Message: {self.message}"
+        logging.error(self.s)
+
+    def __str__(self) -> str:
+        return self.s
+
+
+class MissingCredentialsException(Exception):
+    def __init__(self) -> None:
+        self.s = "Missing credentials. Check if username and password are passed and correct."
+        logging.error(self.s)
+
+    def __str__(self) -> str:
+        return self.s
+
+
+class InvalidCredentialsException(AuthenticationException):
+    def __init__(self, e: AuthenticationException) -> None:
+        super().__init__(e.status, e.message)
+        self.s = f"{e.status, e.message}. Failed to get token in init setup. Check your credentials."
+        logging.error(self.s)
+
+    def __str__(self) -> str:
+        return self.s
+
+
+class TokenRefreshException(AuthenticationException):
+    def __init__(self, e: AuthenticationException) -> None:
+        super().__init__(e.status, e.message)
+        self.s = f"{e.status, e.message}. Failed to update access token. Refresh token may be invalid or expired."
+        logging.error(self.s)
+
+    def __str__(self) -> str:
+        return self.s
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/main.py b/Solutions/ESET Protect Platform/Data Connectors/integration/main.py
new file mode 100644
index 00000000000..fb6547ad842
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/integration/main.py	
@@ -0,0 +1,105 @@
+import asyncio
+import logging
+import time
+import typing as t
+from datetime import datetime, timezone
+
+from integration.models import Config, EnvVariables, TokenStorage
+from integration.utils import (
+    LastDetectionTimeHandler,
+    RequestSender,
+    TokenProvider,
+    TransformerDetections,
+)
+
+
+class ServiceClient:
+    def __init__(self) -> None:
+        self.config = Config()
+        self.env_vars = EnvVariables()
+        self.last_detection_time_handler = LastDetectionTimeHandler(
+            self.env_vars.conn_str,
+            self.env_vars.last_detection_time,
+        )
+        self.request_sender = RequestSender(self.config, self.env_vars)
+        self.token_provider = TokenProvider(TokenStorage(), self.request_sender, self.env_vars, self.config.buffer)
+        self.transformer_detections = TransformerDetections(self.env_vars)
+        self._is_running = False
+        self._next_page_token: str | None = None
+        self._cur_ld_time: str | None = None
+
+    async def run(self) -> None:
+        if self._is_running:
+            while self._is_running:
+                await asyncio.gather(self._custom_sleep(), self._process_integration())
+        else:
+            await asyncio.gather(self._process_integration())
+
+    async def _process_integration(self) -> None:
+        start_time = time.time()
+        max_duration = self.env_vars.interval * 60
+
+        while self._next_page_token != "" and (time.time() - start_time) < (max_duration - 30):
+            response_data = await self._call_service()
+            self._next_page_token = response_data.get("nextPageToken") if response_data else ""
+
+            if response_data and response_data.get("detections") and (time.time() - start_time) < (max_duration - 15):
+                self._cur_ld_time, successful_data_upload = (
+                    await self.transformer_detections.send_integration_detections(response_data, self._cur_ld_time)
+                )
+                self._next_page_token = "" if successful_data_upload is False else self._next_page_token
+                self._update_last_detection_time()
+
+    def _update_last_detection_time(self) -> None:
+        if self._cur_ld_time and self._cur_ld_time != self.last_detection_time_handler.last_detection_time:
+            self.last_detection_time_handler.storage_table_handler.input_entity(
+                new_entity=self.last_detection_time_handler.get_entity_schema(self._cur_ld_time)  # type: ignore[call-arg]
+            )
+
+    async def _custom_sleep(self) -> None:
+        logging.info(f"Start of the {self.env_vars.interval} seconds interval")
+        await asyncio.sleep(self.env_vars.interval)
+        logging.info(f"End of the {self.env_vars.interval} seconds interval")
+
+    async def _call_service(self) -> dict[str, t.Any] | None:
+        logging.info(f"Service call initiated")
+
+        if not self.token_provider.token.access_token or datetime.now(timezone.utc) > self.token_provider.token.expiration_time:  # type: ignore
+            await self.token_provider.get_token()
+
+        try:
+            if (
+                self.token_provider.token.expiration_time
+                and datetime.now(timezone.utc) < self.token_provider.token.expiration_time
+            ):
+                data = await self.request_sender.send_request(
+                    self.request_sender.send_request_get,
+                    {
+                        "Authorization": f"Bearer {self.token_provider.token.access_token}",
+                        "Content-Type": "application/json",
+                    },
+                    self.last_detection_time_handler.last_detection_time,
+                    self._next_page_token,
+                )
+                logging.info(
+                    f"Service call response data is {'obtained' if data and data.get('detections') else f'empty: {data}'}"
+                )
+                return data
+
+            logging.info("Service not called due to missing token.")
+        except Exception as e:
+            logging.error(f"Error in running service call: {e}")
+
+        return None
+
+
+def main() -> None:
+    logging.basicConfig(
+        format="%(asctime)s - %(levelname)s - %(message)s", level=logging.INFO, datefmt="%Y-%m-%d %H:%M:%S"
+    )
+    service_client = ServiceClient()
+    asyncio.run(service_client.run())
+
+
+if __name__ == "__main__":
+    main()
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/models.py b/Solutions/ESET Protect Platform/Data Connectors/integration/models.py
new file mode 100644
index 00000000000..afbba7d4309
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/integration/models.py	
@@ -0,0 +1,101 @@
+import logging
+import os
+import typing as t
+from dataclasses import dataclass, field
+from datetime import datetime, timedelta, timezone
+from importlib import resources
+
+import yaml
+
+
+@dataclass
+class TokenStorage:
+    __access_token: str | None = field(default=None, init=False)
+    __refresh_token: str | None = field(default=None, init=False)
+    __expiration_time: datetime | None = field(default=None, init=False)
+
+    @property
+    def access_token(self) -> str | None:
+        return self.__access_token
+
+    @access_token.setter
+    def access_token(self, value: str) -> None:
+        self.__access_token = value
+
+    @property
+    def refresh_token(self) -> str | None:
+        return self.__refresh_token
+
+    @refresh_token.setter
+    def refresh_token(self, value: str) -> None:
+        self.__refresh_token = value
+
+    @property
+    def expiration_time(self) -> datetime | None:
+        return self.__expiration_time
+
+    @expiration_time.setter
+    def expiration_time(self, value: datetime) -> None:
+        self.__expiration_time = value
+
+    def to_dict(self) -> dict[str, t.Any]:
+        return {
+            "access_token": self.access_token,
+            "refresh_token": self.refresh_token,
+            "expiration_time": self.expiration_time,
+        }
+
+
+class Config:
+    def __init__(self) -> None:
+        config = self.get_config_params()
+        if config:
+            self.max_retries: int = config.get("max_retries")  # type: ignore
+            self.retry_delay: float = float(config.get("retry_delay"))  # type: ignore
+            self.requests_timeout = config.get("requests_timeout")
+            self.buffer: int = config.get("buffer")  # type: ignore
+
+    def get_config_params(self) -> dict[str, t.Any] | t.Any:
+        try:
+            return yaml.safe_load(
+                resources.files(__package__ or "integration").parent.joinpath("config.yml").read_bytes()
+            )
+        except FileNotFoundError as e:
+            logging.error(e)
+            raise FileNotFoundError("The config file is not found. Further processing is impossible.")
+
+
+class EnvVariables:
+    def __init__(self) -> None:
+        self.__username: str | None = os.getenv("USERNAME_INTEGRATION")
+        self.__password: str | None = os.getenv("PASSWORD_INTEGRATION")
+        self.interval: int = int(os.getenv("INTERVAL", 5))
+        self.last_detection_time: str = os.getenv(
+            "LAST_DETECTION",
+            (datetime.now(timezone.utc) - timedelta(seconds=self.interval * 60)).strftime("%Y-%m-%dT%H:%M:%SZ"),
+        )
+        self.endpoint_uri: str = os.getenv("ENDPOINT_URI", "")
+        self.dcr_immutableid: str = os.getenv("DCR_IMMUTABLEID", "")
+        self.stream_name: str = os.getenv("STREAM_NAME", "")
+        self.__conn_str: str = os.getenv("WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "")
+        self.__key_base64: str = os.getenv("KEY_BASE64", "")
+
+        region = os.getenv("INSTANCE_REGION", "")
+        self.oauth_url: str = f"https://{region}.business-account.iam.eset.systems"
+        self.detections_url: str = f"https://{region}.incident-management.eset.systems/v1/detections"
+
+    @property
+    def username(self) -> str | None:
+        return self.__username
+
+    @property
+    def password(self) -> str | None:
+        return self.__password
+
+    @property
+    def conn_str(self) -> str:
+        return self.__conn_str
+
+    @property
+    def key_base64(self) -> str:
+        return self.__key_base64
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py b/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py
new file mode 100644
index 00000000000..2684ba196de
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py	
@@ -0,0 +1,49 @@
+from datetime import datetime
+
+from pydantic import BaseModel, Field
+
+
+class NetworkCommunication(BaseModel):
+    direction: str
+    localIpAddress: str
+    localPort: int
+    protocolName: str
+    remoteIpAddress: str
+    remotePort: int
+
+
+class Context(BaseModel):
+    circumstances: str
+    deviceUuid: str
+    process: dict[str, str]
+    userName: str
+
+
+class Response(BaseModel):
+    description: str
+    deviceRestartRequired: bool
+    displayName: str
+    protectionName: str
+
+
+class Detection(BaseModel):
+    context: Context
+    networkCommunication: NetworkCommunication
+    responses: list[Response]
+    category: str
+    displayName: str
+    objectHashSha1: str
+    objectName: str
+    objectTypeName: str
+    objectUrl: str
+    occurTime: str
+    TimeGenerated: str = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
+    severityLevel: str
+    typeName: str
+    customUuid: str = Field(alias="uuid")
+
+
+class Detections(BaseModel):
+    detections: list[Detection]
+    nextPageToken: str
+    totalSize: int
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/py.typed b/Solutions/ESET Protect Platform/Data Connectors/integration/py.typed
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py b/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py
new file mode 100644
index 00000000000..485561765a1
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py	
@@ -0,0 +1,289 @@
+import asyncio
+import logging
+import typing as t
+import urllib.parse
+from datetime import datetime, timedelta, timezone
+
+import aiohttp
+from aiohttp.client_exceptions import ClientResponseError
+from azure.core.exceptions import HttpResponseError, ServiceRequestError
+from azure.data.tables import TableServiceClient
+from azure.identity.aio import DefaultAzureCredential
+from azure.monitor.ingestion.aio import LogsIngestionClient
+from cryptography.fernet import Fernet, InvalidToken
+from integration.exceptions import (
+    AuthenticationException,
+    InvalidCredentialsException,
+    MissingCredentialsException,
+    TokenRefreshException,
+)
+from integration.models import Config, EnvVariables, TokenStorage
+from integration.models_detections import Detection, Detections
+from pydantic import ValidationError
+
+
+class RequestSender:
+    def __init__(self, config: Config, env_vars: EnvVariables):
+        self.config = config
+        self.env_vars = env_vars
+
+    async def send_request(
+        self,
+        send_request_fun: (
+            t.Callable[
+                [aiohttp.client.ClientSession, str, str | None], t.Coroutine[t.Any, t.Any, dict[str, str | int] | t.Any]
+            ]
+            | t.Callable[
+                [aiohttp.client.ClientSession, str | None], t.Coroutine[t.Any, t.Any, dict[str, str | int] | t.Any]
+            ]
+        ),
+        headers: dict[str, t.Any] | None = None,
+        *data: t.Any,
+    ) -> t.Dict[str, str | int] | None:
+        retries = 0
+
+        while retries < self.config.max_retries:
+            try:
+                async with aiohttp.ClientSession(headers=headers, raise_for_status=True) as session:
+                    return await send_request_fun(session, *data)
+
+            except ClientResponseError as e:
+                if e.status in [400, 401, 403]:
+                    raise AuthenticationException(status=e.status, message=e.message)
+
+                retries += 1
+                logging.error(
+                    f"Exception: {e.status} {e.message}. Request failed. "
+                    f"Request retry attempt: {retries}/{self.config.max_retries}"
+                )
+                await asyncio.sleep(self.config.retry_delay)
+        return None
+
+    async def send_request_post(
+        self, session: aiohttp.client.ClientSession, grant_type: str | None
+    ) -> t.Dict[str, str | int] | t.Any:
+        logging.info("Sending token request")
+
+        async with session.post(
+            url=f"{self.env_vars.oauth_url}/oauth/token",
+            data=urllib.parse.quote(f"grant_type={grant_type}", safe="=&/"),
+            timeout=self.config.requests_timeout,
+        ) as response:
+            return await response.json()
+
+    async def send_request_get(
+        self, session: aiohttp.client.ClientSession, last_detection_time: str, next_page_token: str | None
+    ) -> t.Dict[str, str | int] | t.Any:
+        logging.info("Sending service request")
+
+        async with session.get(
+            self.env_vars.detections_url, params=self._prepare_get_request_params(last_detection_time, next_page_token)
+        ) as response:
+            return await response.json()
+
+    def _prepare_get_request_params(self, last_detection_time: str, next_page_token: str | None) -> dict[str, t.Any]:
+        params = {"pageSize": 100}
+        if next_page_token not in ["", None]:
+            params["pageToken"] = next_page_token  # type: ignore[assignment]
+        if last_detection_time:
+            params["startTime"] = last_detection_time  # type: ignore[assignment]
+
+        return params
+
+
+class TokenProvider:
+    def __init__(self, token: TokenStorage, requests_sender: RequestSender, env_vars: EnvVariables, buffer: int):
+        self.token = token
+        self.requests_sender = requests_sender
+        self.env_vars = env_vars
+        self.buffer = buffer
+        self.fernet = Fernet(self.env_vars.key_base64.encode("utf-8"))
+        self.storage_table_name = "TokenParams"
+        self.storage_table_handler = StorageTableHandler(self.env_vars.conn_str, self.storage_table_name)
+        self.storage_table_handler.set_entity()
+
+        self.get_token_params_from_storage()
+
+    def get_token_params_from_storage(self) -> None:
+        if not self.storage_table_handler.entities:
+            return None
+        for token_param in self.token.to_dict().keys():
+            value = self.storage_table_handler.entities.get(token_param)
+            if isinstance(value, bytes):
+                try:
+                    value = self.fernet.decrypt(value).decode("utf-8")
+                except InvalidToken:
+                    logging.warning("Issue with decrypt: Invalid Token")
+                    value = ""
+            setattr(self.token, token_param, value)
+
+    async def get_token(self) -> None:
+        logging.info("Getting token")
+
+        if not self.token.access_token and (not self.env_vars.username or not self.env_vars.password):
+            raise MissingCredentialsException()
+
+        grant_type = (
+            f"refresh_token&refresh_token={self.token.refresh_token}"
+            if self.token.access_token
+            else f"password&username={self.env_vars.username}&password={self.env_vars.password}"
+        )
+
+        try:
+            response = await self.requests_sender.send_request(
+                self.requests_sender.send_request_post,
+                {"Content-type": "application/x-www-form-urlencoded"},
+                grant_type,
+            )
+        except AuthenticationException as e:
+            if not self.token.access_token:
+                raise InvalidCredentialsException(e)
+            else:
+                self.storage_table_handler.input_entity({k: "" for k in self.token.to_dict()})  # type: ignore[call-arg]
+                raise TokenRefreshException(e)
+
+        if response:
+            self.set_token_params_locally_and_in_storage(response)
+            logging.info("Token obtained successfully")
+
+    def set_token_params_locally_and_in_storage(self, response: t.Dict[str, str | int]) -> None:
+        self.token.access_token = t.cast(str, response["access_token"])
+        self.token.refresh_token = t.cast(str, response["refresh_token"])
+        self.token.expiration_time = datetime.now(timezone.utc) + timedelta(
+            seconds=int(response["expires_in"]) - self.buffer
+        )
+        self.storage_table_handler.input_entity(
+            {
+                k: self.fernet.encrypt(v.encode("utf-8")) if type(v) is str else v
+                for k, v in self.token.to_dict().items()
+            }
+        )  # type: ignore[call-arg]
+
+
+class TransformerDetections:
+    def __init__(self, env_vars: EnvVariables) -> None:
+        self.env_vars = env_vars
+
+    async def send_integration_detections(
+        self, detections: dict[str, t.Any] | None, last_detection: str | None
+    ) -> tuple[str | None, bool]:
+        validated_detections = self._validate_detections_data(detections)
+        if not validated_detections:
+            return last_detection, False
+        return await self._send_data_to_log_analytics_workspace(validated_detections, last_detection)
+
+    def _validate_detections_data(self, response_data: dict[str, t.Any] | None) -> list[Detection] | None:
+        if not response_data:
+            logging.info("No new detections")
+            return None
+        try:
+            return Detections.model_validate(response_data).detections
+        except ValidationError as e:
+            logging.error(e)
+            validated_detections = []
+            for detection in response_data.get("detections"):  # type: ignore
+                try:
+                    validated_detections.append(Detection.model_validate(detection))
+                except ValidationError as e:
+                    logging.error(e)
+
+            return validated_detections
+
+    async def _send_data_to_log_analytics_workspace(
+        self, validated_data: t.List[Detection], last_detection: str | None, successful_data_upload: bool = False
+    ) -> tuple[str | None, bool]:
+        credential = DefaultAzureCredential()  # Env vars: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
+        client = LogsIngestionClient(endpoint=self.env_vars.endpoint_uri, credential=credential, logging_enable=True)
+
+        async with client:
+            try:
+                self._update_time_generated(validated_data)
+                dumped_data = [d.model_dump() for d in validated_data]
+
+                await client.upload(
+                    rule_id=self.env_vars.dcr_immutableid,
+                    stream_name=self.env_vars.stream_name,
+                    logs=dumped_data,  # type: ignore[arg-type]
+                )
+                last_detection = max(validated_data, key=lambda detection: detection.occurTime).occurTime
+                successful_data_upload = True
+            except ServiceRequestError as e:
+                logging.error(f"Authentication to Azure service failed: {e}")
+            except HttpResponseError as e:
+                logging.error(f"Upload failed: {e}")
+
+        await credential.close()
+        return last_detection, successful_data_upload
+
+    def _update_time_generated(self, validated_data: t.List[Detection]) -> None:
+        utc_now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
+        for data in validated_data:
+            data.TimeGenerated = utc_now
+
+
+class StorageTableHandler:
+    def __init__(self, env_conn_str: str, table_name_keys: str) -> None:
+        self.conn_str = env_conn_str
+        self.table_name_keys = table_name_keys
+        self.entities = None
+        self.table_client = None
+
+    def with_table_client(func: t.Callable[[t.Any, t.Any], t.Any]) -> t.Callable[[t.Any], t.Any]:  # type: ignore
+        def wrapper(storage_table_handler_instance, *args, **kwargs):  # type: ignore[no-untyped-def]
+            try:
+                with TableServiceClient.from_connection_string(
+                    conn_str=storage_table_handler_instance.conn_str
+                ) as table_service_client:
+                    storage_table_handler_instance.table_client = table_service_client.create_table_if_not_exists(
+                        table_name=storage_table_handler_instance.table_name_keys
+                    )
+                    return func(storage_table_handler_instance, *args, **kwargs)
+            except ValueError as e:
+                raise ValueError(f"Connection string WEBSITE_CONTENTAZUREFILECONNECTIONSTRING value error: {e}")
+
+        return wrapper
+
+    @with_table_client  # type: ignore
+    def set_entity(self) -> None:
+        if self.table_client:
+            self.entities = next(self.table_client.query_entities(""), None)
+        return None
+
+    @with_table_client
+    def input_entity(self, new_entity: dict[str, t.Any]) -> None:
+        entity = {
+            "PartitionKey": self.table_name_keys,
+            "RowKey": self.table_name_keys,
+            "TimeGenerated": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
+        } | new_entity
+        try:
+            if self.table_client:
+                (
+                    self.table_client.update_entity(entity=entity)
+                    if self.entities
+                    else self.table_client.create_entity(entity=entity)
+                )
+                logging.info(f"Entity: {self.table_name_keys} updated")
+        except Exception as e:
+            print("Exception occurred:", e)
+
+
+class LastDetectionTimeHandler:
+    def __init__(self, storage_table_conn_str: str, env_last_occur_time: str) -> None:
+        self.storage_table_name = "LastDetectionTime"
+        self.storage_table_handler = StorageTableHandler(storage_table_conn_str, self.storage_table_name)
+        self.storage_table_handler.set_entity()
+        self.last_detection_time = self.get_last_occur_time(env_last_occur_time)
+
+    def get_last_occur_time(self, env_last_occur_time: str) -> t.Any:
+        if self.storage_table_handler.entities:
+            return self.storage_table_handler.entities.get(self.storage_table_name)
+        return env_last_occur_time
+
+    def get_entity_schema(self, cur_last_detection_time: str) -> dict[str, t.Any]:
+        return {
+            self.storage_table_name: (
+                datetime.strptime(cur_last_detection_time, "%Y-%m-%dT%H:%M:%SZ") + timedelta(seconds=1)
+            ).isoformat()
+            + "Z"
+        }
diff --git a/Solutions/ESET Protect Platform/Data Connectors/requirements.txt b/Solutions/ESET Protect Platform/Data Connectors/requirements.txt
new file mode 100644
index 00000000000..ade7a02d953
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data Connectors/requirements.txt	
@@ -0,0 +1,30 @@
+aiohttp==3.9.5 ; python_version >= "3.11" and python_version < "4.0"
+aiosignal==1.3.1 ; python_version >= "3.11" and python_version < "4.0"
+annotated-types==0.7.0 ; python_version >= "3.11" and python_version < "4.0"
+attrs==24.2.0 ; python_version >= "3.11" and python_version < "4.0"
+azure-core==1.30.2 ; python_version >= "3.11" and python_version < "4.0"
+azure-data-tables==12.5.0 ; python_version >= "3.11" and python_version < "4.0"
+azure-functions==1.20.0 ; python_version >= "3.11" and python_version < "4.0"
+azure-identity==1.17.1 ; python_version >= "3.11" and python_version < "4.0"
+azure-monitor-ingestion==1.0.4 ; python_version >= "3.11" and python_version < "4.0"
+certifi==2024.8.30 ; python_version >= "3.11" and python_version < "4.0"
+cffi==1.17.1 ; python_version >= "3.11" and python_version < "4.0" and platform_python_implementation != "PyPy"
+charset-normalizer==3.3.2 ; python_version >= "3.11" and python_version < "4.0"
+cryptography==43.0.1 ; python_version >= "3.11" and python_version < "4.0"
+frozenlist==1.4.1 ; python_version >= "3.11" and python_version < "4.0"
+idna==3.10 ; python_version >= "3.11" and python_version < "4.0"
+isodate==0.6.1 ; python_version >= "3.11" and python_version < "4.0"
+msal-extensions==1.2.0 ; python_version >= "3.11" and python_version < "4.0"
+msal==1.31.0 ; python_version >= "3.11" and python_version < "4.0"
+multidict==6.1.0 ; python_version >= "3.11" and python_version < "4.0"
+portalocker==2.10.1 ; python_version >= "3.11" and python_version < "4.0"
+pycparser==2.22 ; python_version >= "3.11" and python_version < "4.0" and platform_python_implementation != "PyPy"
+pydantic-core==2.20.1 ; python_version >= "3.11" and python_version < "4.0"
+pydantic==2.8.2 ; python_version >= "3.11" and python_version < "4.0"
+pyjwt[crypto]==2.9.0 ; python_version >= "3.11" and python_version < "4.0"
+pyyaml==6.0.1 ; python_version >= "3.11" and python_version < "4.0"
+requests==2.32.3 ; python_version >= "3.11" and python_version < "4.0"
+six==1.16.0 ; python_version >= "3.11" and python_version < "4.0"
+typing-extensions==4.12.2 ; python_version >= "3.11" and python_version < "4.0"
+urllib3==2.2.3 ; python_version >= "3.11" and python_version < "4.0"
+yarl==1.13.1 ; python_version >= "3.11" and python_version < "4.0"
diff --git a/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json b/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json
new file mode 100644
index 00000000000..b6813c11bcf
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json	
@@ -0,0 +1,14 @@
+{
+    "Name": "ESET Protect Platform",
+    "Author": "ESET",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/eset-logo.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "ESET Protect Platform solution for Microsoft Sentinel ingests detections from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). \n\n**Underlying Microsoft Technologies used:**\n\nThe ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Logs Ingestion API in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n",
+    "Data Connectors": [
+      "Data Connectors/ESETProtectPlatform_API_FunctionApp.json"
+    ],
+    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ESET Protect Platform",
+    "Version": "1.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1Pconnector": false
+  }
\ No newline at end of file
diff --git a/Solutions/ESET Protect Platform/Package/3.0.0.zip b/Solutions/ESET Protect Platform/Package/3.0.0.zip
new file mode 100644
index 00000000000..e998ac2e8b9
Binary files /dev/null and b/Solutions/ESET Protect Platform/Package/3.0.0.zip differ
diff --git a/Solutions/ESET Protect Platform/Package/createUiDefinition.json b/Solutions/ESET Protect Platform/Package/createUiDefinition.json
new file mode 100644
index 00000000000..11bb249e26d
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Package/createUiDefinition.json	
@@ -0,0 +1,85 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/eset-logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ESET%20Protect%20Platform/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nESET Protect Platform solution for Microsoft Sentinel ingests detections from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). \n\n**Underlying Microsoft Technologies used:**\n\nThe ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Logs Ingestion API in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "dataconnectors",
+        "label": "Data Connectors",
+        "bladeTitle": "Data Connectors",
+        "elements": [
+          {
+            "name": "dataconnectors1-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for ESET Protect Platform. You can get ESET Protect Platform custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors-link2",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about connecting data sources",
+                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}
diff --git a/Solutions/ESET Protect Platform/Package/mainTemplate.json b/Solutions/ESET Protect Platform/Package/mainTemplate.json
new file mode 100644
index 00000000000..75f6456cd17
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Package/mainTemplate.json	
@@ -0,0 +1,393 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "author": "ESET",
+    "comments": "Solution template for ESET Protect Platform"
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "minLength": 1,
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+      }
+    },
+    "workspace-location": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+      }
+    },
+    "workspace": {
+      "defaultValue": "",
+      "type": "string",
+      "metadata": {
+        "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+      }
+    }
+  },
+  "variables": {
+    "_solutionName": "ESET Protect Platform",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "eset.eset-protect-platform-solution",
+    "_solutionId": "[variables('solutionId')]",
+    "uiConfigId1": "ESETProtectPlatform",
+    "_uiConfigId1": "[variables('uiConfigId1')]",
+    "dataConnectorContentId1": "ESETProtectPlatform",
+    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+    "_dataConnectorId1": "[variables('dataConnectorId1')]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+    "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ESET Protect Platform data connector with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion1')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId1')]",
+                  "title": "ESET Protect Platform (using Azure Functions)",
+                  "publisher": "ESET",
+                  "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "IntegrationTable_CL",
+                      "baseQuery": "IntegrationTable_CL"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All table records sorted by time",
+                      "query": "IntegrationTable_CL\n| sort by TimeGenerated desc"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "IntegrationTable_CL",
+                      "lastDataReceivedQuery": "IntegrationTable_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "IntegrationTable_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "write": true,
+                          "read": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "name": "Microsoft.Web/sites permissions",
+                        "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+                      },
+                      {
+                        "name": "Permission to register an application in Microsoft Entra ID",
+                        "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required."
+                      },
+                      {
+                        "name": "Permission to assign a role to the registered application",
+                        "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required."
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)."
+                    },
+                    {
+                      "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.",
+                      "title": "Step 1 -  Create an API user"
+                    },
+                    {
+                      "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)",
+                      "title": "Step 2 -  Create a registered application"
+                    },
+                    {
+                      "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.",
+                      "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"
+                    }
+                  ]
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+                "contentId": "[variables('_dataConnectorContentId1')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "ESET Protect Platform",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "ESET"
+                },
+                "support": {
+                  "name": "ESET Enterprise Integrations",
+                  "email": "eset-enterpise-integration@eset.com",
+                  "tier": "Partner",
+                  "link": "https://help.eset.com/eset_connect/en-US/integrations.html"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "ESET Protect Platform (using Azure Functions)",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId1')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion1')]",
+        "source": {
+          "kind": "Solution",
+          "name": "ESET Protect Platform",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "ESET"
+        },
+        "support": {
+          "name": "ESET Enterprise Integrations",
+          "email": "eset-enterpise-integration@eset.com",
+          "tier": "Partner",
+          "link": "https://help.eset.com/eset_connect/en-US/integrations.html"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "ESET Protect Platform (using Azure Functions)",
+          "publisher": "ESET",
+          "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "IntegrationTable_CL",
+              "baseQuery": "IntegrationTable_CL"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "IntegrationTable_CL",
+              "lastDataReceivedQuery": "IntegrationTable_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "IntegrationTable_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All table records sorted by time",
+              "query": "IntegrationTable_CL\n| sort by TimeGenerated desc"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "write": true,
+                  "read": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "name": "Microsoft.Web/sites permissions",
+                "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+              },
+              {
+                "name": "Permission to register an application in Microsoft Entra ID",
+                "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required."
+              },
+              {
+                "name": "Permission to assign a role to the registered application",
+                "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required."
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)."
+            },
+            {
+              "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.",
+              "title": "Step 1 -  Create an API user"
+            },
+            {
+              "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)",
+              "title": "Step 2 -  Create a registered application"
+            },
+            {
+              "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.",
+              "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"
+            }
+          ],
+          "id": "[variables('_uiConfigId1')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "version": "3.0.0",
+        "kind": "Solution",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "ESET Protect Platform",
+        "publisherDisplayName": "ESET Enterprise Integrations",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ESET%20Protect%20Platform/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>ESET Protect Platform solution for Microsoft Sentinel ingests detections from <a href=\"https://www.eset.com/int/business/protect-platform/\">ESET Protect Platform</a> using the provided <a href=\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors\">Integration REST API</a>.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>The ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview\">Logs Ingestion API in Azure Monitor</a></p>\n</li>\n<li><p><a href=\"https://azure.microsoft.com/services/functions/#overview\">Azure Functions</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/eset-logo.svg\" width=\"75px\" height=\"75px\">",
+        "contentId": "[variables('_solutionId')]",
+        "parentId": "[variables('_solutionId')]",
+        "source": {
+          "kind": "Solution",
+          "name": "ESET Protect Platform",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "ESET"
+        },
+        "support": {
+          "name": "ESET Enterprise Integrations",
+          "email": "eset-enterpise-integration@eset.com",
+          "tier": "Partner",
+          "link": "https://help.eset.com/eset_connect/en-US/integrations.html"
+        },
+        "dependencies": {
+          "operator": "AND",
+          "criteria": [
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId1')]",
+              "version": "[variables('dataConnectorVersion1')]"
+            }
+          ]
+        },
+        "firstPublishDate": "2024-10-15",
+        "lastPublishDate": "2024-10-15",
+        "providers": [
+          "ESET Enterprise Integrations"
+        ],
+        "categories": {
+          "domains": [
+            "Security - Automation (SOAR)",
+            "Security - Threat Protection"
+          ]
+        }
+      },
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+    }
+  ],
+  "outputs": {}
+}
diff --git a/Solutions/ESET Protect Platform/Package/testParameters.json b/Solutions/ESET Protect Platform/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/ESET Protect Platform/Package/testParameters.json	
@@ -0,0 +1,24 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  }
+}
diff --git a/Solutions/ESET Protect Platform/ReleaseNotes.md b/Solutions/ESET Protect Platform/ReleaseNotes.md
new file mode 100644
index 00000000000..e5dd5cf78c4
--- /dev/null
+++ b/Solutions/ESET Protect Platform/ReleaseNotes.md	
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0       | 04-11-2024                     | Initial Solution Release       |
\ No newline at end of file
diff --git a/Solutions/ESET Protect Platform/SolutionMetadata.json b/Solutions/ESET Protect Platform/SolutionMetadata.json
new file mode 100644
index 00000000000..5e41a55f8d0
--- /dev/null
+++ b/Solutions/ESET Protect Platform/SolutionMetadata.json	
@@ -0,0 +1,16 @@
+{
+	"publisherId": "eset",
+	"offerId": "eset-protect-platform-solution",
+	"firstPublishDate": "2024-10-15",
+	"lastPublishDate": "2024-10-15",
+	"providers": ["ESET Enterprise Integrations"],
+	"categories": {
+		"domains" : ["Security - Automation (SOAR)", "Security - Threat Protection"]
+	},
+	"support": {
+	  "name": "ESET Enterprise Integrations",
+	  "email": "eset-enterpise-integration@eset.com",
+	  "tier": "Partner",
+	  "link": "https://help.eset.com/eset_connect/en-US/integrations.html"
+	}
+}
diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json
index 18fb4242e2f..34c02491a0b 100644
--- a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json	
+++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json	
@@ -20,9 +20,7 @@
 			"TokenEndpointHeaders": {
 				"Content-Type": "application/x-www-form-urlencoded"
 			},
-			"TokenEndpointQueryParameters": {
-				"grant_type": "client_credentials"
-			}
+			"TokenEndpointQueryParameters": {}
 		},
 		"request": {
 			"apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
@@ -30,7 +28,7 @@
 			"queryParameters": {
 				"max_results": 100,
 				"sort": "-_created",
-				"is_azure": "3.0.1"
+				"is_azure": "[variables('_solutionVersion')]"
 			},
 			"queryWindowInMin": 5,
 			"queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
diff --git a/Solutions/Ermes Browser Security/Package/3.0.3.zip b/Solutions/Ermes Browser Security/Package/3.0.3.zip
index c7847b2b742..3185c0785d0 100644
Binary files a/Solutions/Ermes Browser Security/Package/3.0.3.zip and b/Solutions/Ermes Browser Security/Package/3.0.3.zip differ
diff --git a/Solutions/Ermes Browser Security/Package/createUiDefinition.json b/Solutions/Ermes Browser Security/Package/createUiDefinition.json
index 04cad3d20ff..2eb8029336a 100644
--- a/Solutions/Ermes Browser Security/Package/createUiDefinition.json	
+++ b/Solutions/Ermes Browser Security/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Ermes Browser Security/Package/mainTemplate.json b/Solutions/Ermes Browser Security/Package/mainTemplate.json
index 55bbf9be2ea..c599558e56e 100644
--- a/Solutions/Ermes Browser Security/Package/mainTemplate.json	
+++ b/Solutions/Ermes Browser Security/Package/mainTemplate.json	
@@ -557,9 +557,7 @@
                   "TokenEndpointHeaders": {
                     "Content-Type": "application/x-www-form-urlencoded"
                   },
-                  "TokenEndpointQueryParameters": {
-                    "grant_type": "client_credentials"
-                  }
+                  "TokenEndpointQueryParameters": {}
                 },
                 "request": {
                   "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events",
@@ -567,7 +565,7 @@
                   "queryParameters": {
                     "max_results": 100,
                     "sort": "-_created",
-                    "is_azure": "3.0.1"
+                    "is_azure": "[variables('_solutionVersion')]"
                   },
                   "queryWindowInMin": 5,
                   "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00",
@@ -612,7 +610,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "Ermes Browser Security",
         "publisherDisplayName": "Ermes Cyber Security S.p.A.",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.ermes.company\">Ermes Browser Security</a> Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.</p>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.ermes.company\">Ermes Browser Security</a> Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.</p>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/Ermes Browser Security/ReleaseNotes.md b/Solutions/Ermes Browser Security/ReleaseNotes.md
index a3e6c1091e2..d5462adbd8b 100644
--- a/Solutions/Ermes Browser Security/ReleaseNotes.md	
+++ b/Solutions/Ermes Browser Security/ReleaseNotes.md	
@@ -1,6 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                 |
 |-------------|--------------------------------|----------------------------------------------------|
-| 3.0.3       | 19-02-2024                     | Updated _solutionVersion to dataConnectorCCPVersion |
-| 3.0.2       | 23-01-2024                     | Updated paging type in **CCP Data Connector**      |  
-| 3.0.1       | 28-11-2023                     | Updated **CCP Data Connector**                     |  
+| 3.0.3       | 19-02-2024                     | Updated _solutionVersion to dataConnectorCCPVersion. <br/> Removed grant_type and added the Solution version to the query parameters |
+| 3.0.2       | 23-01-2024                     | Updated paging type in **CCP Data Connector**      |
+| 3.0.1       | 28-11-2023                     | Updated **CCP Data Connector**                     |
 | 3.0.0       | 29-09-2023                     | Initial Solution Release                           |
diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
index 7c4d1b07b26..41d20c1937d 100644
--- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml	
@@ -1,5 +1,5 @@
 id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
-name: Detect Connections Outside Operational Hours
+name: GSA - Detect Connections Outside Operational Hours
 description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
 severity: High
 status: Available
@@ -36,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml
index f9e25e2e0a8..b518991bcb6 100644
--- a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml	
@@ -1,5 +1,5 @@
 id: 57abf863-1c1e-46c6-85b2-35370b712c1e
-name: Detect IP Address Changes and Overlapping Sessions
+name: GSA - Detect IP Address Changes and Overlapping Sessions
 description: |
   This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.
 severity: High
@@ -18,22 +18,37 @@ relevantTechniques:
   - T1078
   - T1133
 query: |
-  // Identify sessions
-  let sessions = 
-    NetworkAccessTraffic
-    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId
-    | sort by StartTime asc;
-  // Check for changed IP addresses and overlapping session times
-  sessions
-    | extend PreviousSourceIps = prev(SourceIps, 1)
-    | extend PreviousEndTime = prev(EndTime, 1)
-    | extend PreviousDeviceId = prev(DeviceId, 1)
-    | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
-    | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName
-    | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ
-    | where PreviousEndTime > StartTime // Check for overlapping session times
-    | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime
-    | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName
+    // Identify sessions
+    let sessions = 
+      NetworkAccessTraffic
+      | summarize 
+          StartTime = min(TimeGenerated), 
+          EndTime = max(TimeGenerated), 
+          SourceIps = make_set(SourceIp) 
+        by DeviceId, UserPrincipalName, SessionId
+      | sort by StartTime asc;
+    // Check for changed IP addresses and overlapping session times
+    sessions
+      | extend PreviousSourceIps = prev(SourceIps, 1)
+      | extend PreviousEndTime = prev(EndTime, 1)
+      | extend PreviousDeviceId = prev(DeviceId, 1)
+      | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
+      | where DeviceId == PreviousDeviceId 
+            and UserPrincipalName == PreviousUserPrincipalName
+      | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ
+      | where PreviousEndTime > StartTime // Check for overlapping session times
+      | project 
+          DeviceId, 
+          UserPrincipalName, 
+          SourceIps, 
+          PreviousSourceIps, 
+          StartTime, 
+          EndTime, 
+          PreviousEndTime
+      | extend 
+          IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), 
+          PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), 
+          AccountCustomEntity = UserPrincipalName
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -43,5 +58,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml
index 8481644cb79..9d659589c2e 100644
--- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml	
@@ -121,9 +121,5 @@ entityMappings:
         columnName: UserWhoDeletedAccountName
       - identifier: UPNSuffix
         columnName: UserWhoDeletedAccountUPNSuffix
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: ClientIP
-version: 2.1.3
+version: 2.1.4
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml
index 256c1fac3da..940b571889d 100644
--- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml	
@@ -23,53 +23,85 @@ relevantTechniques:
   - T1114
   - T1020
 query: |
-  // OfficeActivity Query
-  let officeActivityQuery = OfficeActivity
-    | where OfficeWorkload == "Exchange"
-    | where Operation in~ ("New-TransportRule", "Set-TransportRule")
-    | mv-apply DynamicParameters = todynamic(Parameters) on (
-        summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
-      )
-    | extend RuleName = case(
-        Operation =~ "Set-TransportRule", OfficeObjectId,
-        Operation =~ "New-TransportRule", ParsedParameters.Name,
-        "Unknown"
-      )
-    | mv-expand ExpandedParameters = todynamic(Parameters)
-    | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
-    | extend RedirectTo = ExpandedParameters.Value
-    | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
-    | extend From = ParsedParameters.From
-    | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters
-    | extend AccountName = tostring(split(UserId, "@")[0]),
-             AccountUPNSuffix = tostring(split(UserId, "@")[1]);
-  // EnrichedMicrosoft365AuditLogs Query
-  let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs
-    | where Workload == "Exchange"
-    | where Operation in~ ("New-TransportRule", "Set-TransportRule")
-    | extend AdditionalProps = parse_json(AdditionalProperties)
-    | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (
-        summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
-      )
-    | extend RuleName = case(
-        Operation =~ "Set-TransportRule", ObjectId,
-        Operation =~ "New-TransportRule", ParsedParameters.Name,
-        "Unknown"
-      )
-    | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)
-    | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
-    | extend RedirectTo = ExpandedParameters.Value
-    | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
-    | extend From = ParsedParameters.From
-    | extend UserAgent = tostring(AdditionalProps.UserAgent)
-    | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProps.Parameters), UserAgent
-    | extend AccountName = tostring(split(UserId, "@")[0]),
-             AccountUPNSuffix = tostring(split(UserId, "@")[1]);
-  // Combine both queries
-  union isfuzzy=true officeActivityQuery, enrichedLogsQuery
-  | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo
-  | project TimeGenerated, RedirectTo, IPAddress, Port, UserId, From, Operation, RuleName, Parameters, AccountName, AccountUPNSuffix
-  | order by TimeGenerated desc;
+    // OfficeActivity Query
+    let officeActivityQuery = OfficeActivity
+        | where OfficeWorkload == "Exchange"
+        | where Operation in~ ("New-TransportRule", "Set-TransportRule")
+        | mv-apply DynamicParameters = todynamic(Parameters) on (
+            summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
+        )
+        | extend RuleName = case(
+            Operation =~ "Set-TransportRule", OfficeObjectId,
+            Operation =~ "New-TransportRule", ParsedParameters.Name,
+            "Unknown"
+        )
+        | mv-expand ExpandedParameters = todynamic(Parameters)
+        | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
+        | extend RedirectTo = tostring(ExpandedParameters.Value)  // Cast to string
+        | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
+        | extend From = ParsedParameters.From
+        | project
+            TimeGenerated,
+            RedirectTo,
+            IPAddress = tostring(ClientIPValues[0]),
+            Port = tostring(ClientIPValues[1]),
+            UserId,
+            From,
+            Operation,
+            RuleName,
+            Parameters
+        | extend
+            AccountName = tostring(split(UserId, "@")[0]),
+            AccountUPNSuffix = tostring(split(UserId, "@")[1]);
+        // EnrichedMicrosoft365AuditLogs Query
+        let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs
+        | where Workload == "Exchange"
+        | where Operation in~ ("New-TransportRule", "Set-TransportRule")
+        | extend AdditionalProps = parse_json(AdditionalProperties)
+        | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (
+            summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
+        )
+        | extend RuleName = case(
+            Operation =~ "Set-TransportRule", ObjectId,
+            Operation =~ "New-TransportRule", ParsedParameters.Name,
+            "Unknown"
+        )
+        | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)
+        | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
+        | extend RedirectTo = tostring(ExpandedParameters.Value)  // Cast to string
+        | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
+        | extend From = ParsedParameters.From
+        | extend UserAgent = tostring(AdditionalProps.UserAgent)
+        | project
+            TimeGenerated,
+            RedirectTo,
+            IPAddress = tostring(ClientIPValues[0]),
+            Port = tostring(ClientIPValues[1]),
+            UserId,
+            From,
+            Operation,
+            RuleName,
+            Parameters = tostring(AdditionalProps.Parameters),
+            UserAgent
+        | extend
+            AccountName = tostring(split(UserId, "@")[0]),
+            AccountUPNSuffix = tostring(split(UserId, "@")[1]);
+        // Combine both queries
+        union isfuzzy=true officeActivityQuery, enrichedLogsQuery
+        | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo
+        | project
+            TimeGenerated,
+            RedirectTo,
+            IPAddress,
+            Port,
+            UserId,
+            From,
+            Operation,
+            RuleName,
+            Parameters,
+            AccountName,
+            AccountUPNSuffix
+            | order by TimeGenerated desc
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -83,5 +115,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 2.1.4
+version: 2.1.5
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
index 137210a2b0a..8cae3de7ca2 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml	
@@ -1,5 +1,5 @@
 id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
-name: Detect Abnormal Deny Rate for Source to Destination IP
+name: GSA - Detect Abnormal Deny Rate for Source to Destination IP
 description: |
   Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
 configurableParameters:
@@ -54,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: DestinationIp
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml
index cfb6b7509f2..a195c01775c 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml	
@@ -1,5 +1,5 @@
 id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a
-name: Detect Protocol Changes for Destination Ports
+name: GSA - Detect Protocol Changes for Destination Ports
 description: |
   Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.
 
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: FqdnCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
index 1c2f4ebeb1e..9cb257bc4b7 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml	
@@ -1,5 +1,5 @@
 id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
-name: Detect Source IP Scanning Multiple Open Ports
+name: GSA - Detect Source IP Scanning Multiple Open Ports
 description: |
   Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
 Configurable Parameters:
@@ -25,9 +25,9 @@ query: |
   NetworkAccessTraffic
   | where TimeGenerated > ago(1d)
   | where Action == 'Allowed'
-  | summarize PortsScanned = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, port_scan_time)
+  | summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
   | where PortsScanned > min_ports_threshold
-  | project SourceIp, PortsScanned, TimeGenerated
+  | project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn
 entityMappings:
   - entityType: IP
     fieldMappings:
@@ -36,6 +36,6 @@ entityMappings:
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: Fqdn
-version: 1.0.0
+        columnName: DestinationFqdn
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml b/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml
index d32cfda7041..e273707ca43 100644
--- a/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml	
+++ b/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml	
@@ -14,77 +14,116 @@ tags:
   - Solorigate
   - NOBELIUM
 query: |
-  let starttime = todatetime('{{StartTimeISO}}');
-  let endtime = todatetime('{{EndTimeISO}}');
-  let lookback = totimespan((endtime - starttime) * 2);
-  let user_threshold = 1;    // Threshold for number of mailboxes accessed
-  let folder_threshold = 5;  // Threshold for number of mailbox folders accessed
-  // OfficeActivity Query
-  let OfficeEvents = OfficeActivity
-      | where TimeGenerated between (ago(lookback)..starttime)
-      | where Operation =~ "MailItemsAccessed"
-      | where ResultStatus =~ "Succeeded"
-      | where tolower(MailboxOwnerUPN) != tolower(UserId)
-      | join kind=rightanti (
-          OfficeActivity
-          | where TimeGenerated between (starttime..endtime)
-          | where Operation =~ "MailItemsAccessed"
-          | where ResultStatus =~ "Succeeded"
-          | where tolower(MailboxOwnerUPN) != tolower(UserId)
-      ) on MailboxOwnerUPN, UserId
-      | where isnotempty(Folders)
-      | mv-expand parse_json(Folders)
-      | extend folders = tostring(Folders.Path)
-      | extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress)
-      | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId
-      | extend folder_count = array_length(set_folders)
-      | extend user_count = array_length(set_MailboxGuid)
-      | where user_count > user_threshold or folder_count > folder_threshold
-      | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded")
-      | sort by user_count desc
-      | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
-      | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
-      | extend Account_0_Name = AccountName
-      | extend Account_0_UPNSuffix = AccountUPNSuffix;
-  // EnrichedMicrosoft365AuditLogs Query
-  let EnrichedEvents = EnrichedMicrosoft365AuditLogs
-      | where TimeGenerated between (ago(lookback)..starttime)
-      | where Operation =~ "MailItemsAccessed"
-      | where ResultStatus =~ "Succeeded"
-      | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
-      | where tolower(MailboxOwnerUPN) != tolower(UserId)
-      | join kind=rightanti (
-          EnrichedMicrosoft365AuditLogs
-          | where TimeGenerated between (starttime..endtime)
-          | where Operation =~ "MailItemsAccessed"
-          | where ResultStatus =~ "Succeeded"
-          | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
-          | where tolower(MailboxOwnerUPN) != tolower(UserId)
-      ) on MailboxOwnerUPN, UserId
-      | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))
-      | mv-expand Folders = parse_json(AdditionalProperties).Folders
-      | extend folders = tostring(Folders.Path)
-      | extend ClientIP = iif(ClientIp startswith "[", extract("\\[([^\\]]*)", 1, ClientIp), ClientIp)
-      | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)
-      | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)
-      | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId
-      | extend folder_count = array_length(set_folders)
-      | extend user_count = array_length(set_MailboxGuid)
-      | where user_count > user_threshold or folder_count > folder_threshold
-      | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded")
-      | sort by user_count desc
-      | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
-      | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
-      | extend Account_0_Name = AccountName
-      | extend Account_0_UPNSuffix = AccountUPNSuffix;
-  // Combine Office and Enriched Logs
-  let CombinedEvents = OfficeEvents
-      | union EnrichedEvents
-      | summarize arg_min(StartTime, *) by UserId, ClientIP;
-  // Final Output
-  CombinedEvents
-      | project UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders, AccountName, AccountUPNSuffix
-      | order by user_count desc
+    let starttime = todatetime('{{StartTimeISO}}');
+    let endtime = todatetime('{{EndTimeISO}}');
+    let lookback = totimespan((endtime - starttime) * 2);
+    let user_threshold = 1;    // Threshold for number of mailboxes accessed
+    let folder_threshold = 5;  // Threshold for number of mailbox folders accessed
+    // OfficeActivity Query
+    let OfficeEvents = OfficeActivity
+        | where TimeGenerated between (ago(lookback)..starttime)
+        | where Operation =~ "MailItemsAccessed"
+        | where ResultStatus =~ "Succeeded"
+        | where tolower(MailboxOwnerUPN) != tolower(UserId)
+        | join kind=rightanti (
+            OfficeActivity
+            | where TimeGenerated between (starttime..endtime)
+            | where Operation =~ "MailItemsAccessed"
+            | where ResultStatus =~ "Succeeded"
+            | where tolower(MailboxOwnerUPN) != tolower(UserId)
+        ) on MailboxOwnerUPN, UserId
+        | where isnotempty(Folders)
+        | mv-expand ParsedFolders = parse_json(Folders)
+        | extend folders = tostring(ParsedFolders.Path)
+        | extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress)
+        | summarize 
+            StartTime = max(TimeGenerated), 
+            EndTime = min(TimeGenerated), 
+            set_folders = make_set(folders, 100000), 
+            set_ClientInfoString = make_set(ClientInfoString, 100000), 
+            set_ClientIP = make_set(ClientIP, 100000), 
+            set_MailboxGuid = make_set(MailboxGuid, 100000), 
+            set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) 
+          by UserId
+        | extend 
+            folder_count = array_length(set_folders),
+            user_count = array_length(set_MailboxGuid)
+        | where user_count > user_threshold or folder_count > folder_threshold
+        | extend Reason = case(
+            user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded",
+            folder_count > folder_threshold and user_count <= user_threshold, "Folder Count Threshold Exceeded",
+            "User Threshold Exceeded")
+        | sort by user_count desc
+        | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
+        | extend 
+            AccountName = tostring(split(UserId, "@")[0]), 
+            AccountUPNSuffix = tostring(split(UserId, "@")[1]);
+        // EnrichedMicrosoft365AuditLogs Query
+        let EnrichedEvents = EnrichedMicrosoft365AuditLogs
+        | where TimeGenerated between (ago(lookback)..starttime)
+        | where Operation =~ "MailItemsAccessed"
+        | where ResultStatus =~ "Succeeded"
+        | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
+        | where tolower(MailboxOwnerUPN) != tolower(UserId)
+        | join kind=rightanti (
+            EnrichedMicrosoft365AuditLogs
+            | where TimeGenerated between (starttime..endtime)
+            | where Operation =~ "MailItemsAccessed"
+            | where ResultStatus =~ "Succeeded"
+            | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
+            | where tolower(MailboxOwnerUPN) != tolower(UserId)
+        ) on MailboxOwnerUPN, UserId
+        | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))
+        | mv-expand ParsedFolders = parse_json(AdditionalProperties).Folders
+        | extend folders = tostring(ParsedFolders.Path)
+        | extend ClientIP = iif(ClientIp startswith "[", extract("\\[([^\\]]*)", 1, ClientIp), ClientIp)
+        | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)
+        | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)
+        | summarize 
+            StartTime = max(TimeGenerated), 
+            EndTime = min(TimeGenerated), 
+            set_folders = make_set(folders, 100000), 
+            set_ClientInfoString = make_set(ClientInfoString, 100000), 
+            set_ClientIP = make_set(ClientIP, 100000), 
+            set_MailboxGuid = make_set(MailboxGuid, 100000), 
+            set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) 
+          by UserId
+        | extend 
+            folder_count = array_length(set_folders),
+            user_count = array_length(set_MailboxGuid)
+        | where user_count > user_threshold or folder_count > folder_threshold
+        | extend Reason = case(
+            user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded",
+            folder_count > folder_threshold and user_count <= user_threshold, "Folder Count Threshold Exceeded",
+            "User Threshold Exceeded")
+        | sort by user_count desc
+        | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
+        | extend 
+            AccountName = tostring(split(UserId, "@")[0]), 
+            AccountUPNSuffix = tostring(split(UserId, "@")[1]);
+        // Combine Office and Enriched Logs
+        let CombinedEvents = OfficeEvents
+            | union EnrichedEvents
+            | mv-expand ClientIP = set_ClientIP  // Expand the set_ClientIP into individual ClientIP rows
+            | extend ClientIP = tostring(ClientIP)  // Explicitly cast ClientIP to string
+            | summarize arg_min(StartTime, *) by UserId, ClientIP
+            // Define AccountName and AccountUPNSuffix after summarize to ensure they're available
+            | extend 
+                AccountName = tostring(split(UserId, "@")[0]), 
+                AccountUPNSuffix = tostring(split(UserId, "@")[1]);
+        // Final Output
+        CombinedEvents
+            | project 
+                UserId, 
+                user_count, 
+                folder_count, 
+                set_MailboxOwnerUPN, 
+                set_ClientIP, 
+                set_ClientInfoString, 
+                set_folders, 
+                AccountName, 
+                AccountUPNSuffix
+            | order by user_count desc
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -92,4 +131,4 @@ entityMappings:
         columnName: AccountName
       - identifier: UPNSuffix
         columnName: AccountUPNSuffix
-version: 2.0.2
+version: 2.0.3
diff --git a/Solutions/Global Secure Access/Package/3.0.0.zip b/Solutions/Global Secure Access/Package/3.0.0.zip
index cf955a94a0e..6145e17ffcd 100644
Binary files a/Solutions/Global Secure Access/Package/3.0.0.zip and b/Solutions/Global Secure Access/Package/3.0.0.zip differ
diff --git a/Solutions/Global Secure Access/Package/createUiDefinition.json b/Solutions/Global Secure Access/Package/createUiDefinition.json
index ab866d954b8..f3d85d5a148 100644
--- a/Solutions/Global Secure Access/Package/createUiDefinition.json	
+++ b/Solutions/Global Secure Access/Package/createUiDefinition.json	
@@ -80,7 +80,7 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": "Microsoft Global Secure Access Enriched M365 Logs",
+            "label": "Enriched Microsoft 365 logs Workbook",
             "elements": [
               {
                 "name": "workbook1-text",
@@ -94,7 +94,7 @@
           {
             "name": "workbook2",
             "type": "Microsoft.Common.Section",
-            "label": "Microsoft Global Secure Access Traffic Logs",
+            "label": "Network Traffic Insights",
             "elements": [
               {
                 "name": "workbook2-text",
@@ -136,7 +136,7 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Detect Connections Outside Operational Hours",
+            "label": "GSA - Detect Connections Outside Operational Hours",
             "elements": [
               {
                 "name": "analytic1-text",
@@ -150,7 +150,7 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Detect IP Address Changes and Overlapping Sessions",
+            "label": "GSA - Detect IP Address Changes and Overlapping Sessions",
             "elements": [
               {
                 "name": "analytic2-text",
@@ -360,7 +360,7 @@
           {
             "name": "analytic17",
             "type": "Microsoft.Common.Section",
-            "label": "Detect Abnormal Deny Rate for Source to Destination IP",
+            "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP",
             "elements": [
               {
                 "name": "analytic17-text",
@@ -374,7 +374,7 @@
           {
             "name": "analytic18",
             "type": "Microsoft.Common.Section",
-            "label": "Detect Protocol Changes for Destination Ports",
+            "label": "GSA - Detect Protocol Changes for Destination Ports",
             "elements": [
               {
                 "name": "analytic18-text",
@@ -388,7 +388,7 @@
           {
             "name": "analytic19",
             "type": "Microsoft.Common.Section",
-            "label": "Detect Source IP Scanning Multiple Open Ports",
+            "label": "GSA - Detect Source IP Scanning Multiple Open Ports",
             "elements": [
               {
                 "name": "analytic19-text",
diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json
index d962276efd5..4f1d323bb5b 100644
--- a/Solutions/Global Secure Access/Package/mainTemplate.json	
+++ b/Solutions/Global Secure Access/Package/mainTemplate.json	
@@ -30,7 +30,7 @@
     },
     "workbook1-name": {
       "type": "string",
-      "defaultValue": "Microsoft Global Secure Access Enriched M365 Logs",
+      "defaultValue": "Enriched Microsoft 365 logs Workbook",
       "minLength": 1,
       "metadata": {
         "description": "Name for the workbook"
@@ -38,7 +38,7 @@
     },
     "workbook2-name": {
       "type": "string",
-      "defaultValue": "Microsoft Global Secure Access Traffic Logs",
+      "defaultValue": "Network Traffic Insights",
       "minLength": 1,
       "metadata": {
         "description": "Name for the workbook"
@@ -66,18 +66,18 @@
     "_workbookContentId2": "[variables('workbookContentId2')]",
     "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.0",
+      "analyticRuleVersion1": "1.0.1",
       "_analyticRulecontentId1": "4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.0')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.1')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.0",
+      "analyticRuleVersion2": "1.0.2",
       "_analyticRulecontentId2": "57abf863-1c1e-46c6-85b2-35370b712c1e",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57abf863-1c1e-46c6-85b2-35370b712c1e')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57abf863-1c1e-46c6-85b2-35370b712c1e')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.0')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.2')))]"
     },
     "analyticRuleObject3": {
       "analyticRuleVersion3": "2.0.8",
@@ -87,11 +87,11 @@
       "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "2.1.3",
+      "analyticRuleVersion4": "2.1.4",
       "_analyticRulecontentId4": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac",
       "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]",
       "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]",
-      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.3')))]"
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]"
     },
     "analyticRuleObject5": {
       "analyticRuleVersion5": "2.1.4",
@@ -101,11 +101,11 @@
       "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]"
     },
     "analyticRuleObject6": {
-      "analyticRuleVersion6": "2.1.4",
+      "analyticRuleVersion6": "2.1.5",
       "_analyticRulecontentId6": "edcfc2e0-3134-434c-8074-9101c530d419",
       "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]",
       "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]",
-      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.4')))]"
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]"
     },
     "analyticRuleObject7": {
       "analyticRuleVersion7": "2.0.6",
@@ -164,11 +164,11 @@
       "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]"
     },
     "analyticRuleObject15": {
-      "analyticRuleVersion15": "1.0.5",
+      "analyticRuleVersion15": "1.0.6",
       "_analyticRulecontentId15": "30375d00-68cc-4f95-b89a-68064d566358",
       "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]",
       "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]",
-      "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.5')))]"
+      "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]"
     },
     "analyticRuleObject16": {
       "analyticRuleVersion16": "2.0.8",
@@ -178,28 +178,28 @@
       "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]"
     },
     "analyticRuleObject17": {
-      "analyticRuleVersion17": "1.0.0",
+      "analyticRuleVersion17": "1.0.1",
       "_analyticRulecontentId17": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b",
       "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]",
       "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]",
-      "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.0')))]"
+      "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.1')))]"
     },
     "analyticRuleObject18": {
-      "analyticRuleVersion18": "1.0.0",
+      "analyticRuleVersion18": "1.0.1",
       "_analyticRulecontentId18": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a",
       "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]",
       "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]",
-      "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.0')))]"
+      "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.1')))]"
     },
     "analyticRuleObject19": {
-      "analyticRuleVersion19": "1.0.0",
+      "analyticRuleVersion19": "1.0.1",
       "_analyticRulecontentId19": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1",
       "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]",
       "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]",
-      "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.0')))]"
+      "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.1')))]"
     },
     "huntingQueryObject1": {
-      "huntingQueryVersion1": "2.0.2",
+      "huntingQueryVersion1": "2.0.3",
       "_huntingQuerycontentId1": "271e8881-3044-4332-a5f4-42264c2e0315",
       "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('271e8881-3044-4332-a5f4-42264c2e0315')))]"
     },
@@ -344,7 +344,7 @@
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=GSAM365EnrichedEvents; logoFileName=gsa.svg; description=This Workbook provides a detailed view of Microsoft 365 log data, enriched with contextual information to enhance visibility into user activities and potential security threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Global Secure Access Enriched M365 Logs; templateRelativePath=GSAM365EnrichedEvents.json; provider=Microsoft}.description",
+                "description": "@{workbookKey=GSAM365EnrichedEvents; logoFileName=gsa.svg; description=This Workbook provides a detailed view of Microsoft 365 log data, enriched with contextual information to enhance visibility into user activities and potential security threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Enriched Microsoft 365 logs Workbook; templateRelativePath=GSAM365EnrichedEvents.json; provider=Microsoft}.description",
                 "parentId": "[variables('workbookId1')]",
                 "contentId": "[variables('_workbookContentId1')]",
                 "kind": "Workbook",
@@ -428,7 +428,7 @@
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=GSANetworkTraffic; logoFileName=gsa.svg; description=This workbook provides an overview of all traffic logs within your network, offering insights into data transfer, anomalies, and potential threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Global Secure Access Traffic Logs; templateRelativePath=GSANetworkTraffic.json; subtitle=; provider=Microsoft}.description",
+                "description": "@{workbookKey=GSANetworkTraffic; logoFileName=gsa.svg; description=This workbook provides an overview of all traffic logs within your network, offering insights into data transfer, anomalies, and potential threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Network Traffic Insights; templateRelativePath=GSANetworkTraffic.json; subtitle=; provider=Microsoft}.description",
                 "parentId": "[variables('workbookId2')]",
                 "contentId": "[variables('_workbookContentId2')]",
                 "kind": "Workbook",
@@ -498,7 +498,7 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "description": "This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.",
-                "displayName": "Detect Connections Outside Operational Hours",
+                "displayName": "GSA - Detect Connections Outside Operational Hours",
                 "enabled": false,
                 "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between(starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n",
                 "queryFrequency": "PT1H",
@@ -511,10 +511,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -529,8 +529,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "AccountCustomEntity",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
                       }
                     ]
                   },
@@ -538,8 +538,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
                     ]
                   }
@@ -582,7 +582,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Detect Connections Outside Operational Hours",
+        "displayName": "GSA - Detect Connections Outside Operational Hours",
         "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
         "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
         "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
@@ -612,9 +612,9 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "description": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.",
-                "displayName": "Detect IP Address Changes and Overlapping Sessions",
+                "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions",
                 "enabled": false,
-                "query": "// Identify sessions\nlet sessions = \n  NetworkAccessTraffic\n  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId\n  | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n  | extend PreviousSourceIps = prev(SourceIps, 1)\n  | extend PreviousEndTime = prev(EndTime, 1)\n  | extend PreviousDeviceId = prev(DeviceId, 1)\n  | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n  | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName\n  | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ\n  | where PreviousEndTime > StartTime // Check for overlapping session times\n  | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime\n  | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName\n",
+                "query": "// Identify sessions\nlet sessions = \n  NetworkAccessTraffic\n  | summarize \n      StartTime = min(TimeGenerated), \n      EndTime = max(TimeGenerated), \n      SourceIps = make_set(SourceIp) \n    by DeviceId, UserPrincipalName, SessionId\n  | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n  | extend PreviousSourceIps = prev(SourceIps, 1)\n  | extend PreviousEndTime = prev(EndTime, 1)\n  | extend PreviousDeviceId = prev(DeviceId, 1)\n  | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n  | where DeviceId == PreviousDeviceId \n        and UserPrincipalName == PreviousUserPrincipalName\n  | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ\n  | where PreviousEndTime > StartTime // Check for overlapping session times\n  | project \n      DeviceId, \n      UserPrincipalName, \n      SourceIps, \n      PreviousSourceIps, \n      StartTime, \n      EndTime, \n      PreviousEndTime\n  | extend \n      IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), \n      PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), \n      AccountCustomEntity = UserPrincipalName\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT24H",
                 "severity": "High",
@@ -625,10 +625,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -643,8 +643,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "AccountCustomEntity",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
                       }
                     ]
                   },
@@ -652,8 +652,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
                     ]
                   }
@@ -696,7 +696,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Detect IP Address Changes and Overlapping Sessions",
+        "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions",
         "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
         "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
         "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
@@ -739,16 +739,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Exchange)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -762,16 +762,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -779,8 +779,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   }
@@ -866,16 +866,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Teams)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -889,16 +889,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "MemberAdded",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "MemberAdded"
                       },
                       {
-                        "columnName": "MemberAddedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "MemberAddedAccountName"
                       },
                       {
-                        "columnName": "MemberAddedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "MemberAddedAccountUPNSuffix"
                       }
                     ]
                   },
@@ -906,16 +906,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserWhoAdded",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserWhoAdded"
                       },
                       {
-                        "columnName": "UserWhoAddedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "UserWhoAddedAccountName"
                       },
                       {
-                        "columnName": "UserWhoAddedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UserWhoAddedAccountUPNSuffix"
                       }
                     ]
                   },
@@ -923,25 +923,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserWhoDeleted",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserWhoDeleted"
                       },
                       {
-                        "columnName": "UserWhoDeletedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "UserWhoDeletedAccountName"
                       },
                       {
-                        "columnName": "UserWhoDeletedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UserWhoDeletedAccountUPNSuffix"
                       }
                     ]
                   }
@@ -1027,16 +1018,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Teams)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1050,16 +1041,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "MemberAdded_Removed",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "MemberAdded_Removed"
                       },
                       {
-                        "columnName": "MemberAdded_RemovedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "MemberAdded_RemovedAccountName"
                       },
                       {
-                        "columnName": "MemberAdded_RemovedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "MemberAdded_RemovedAccountUPNSuffix"
                       }
                     ]
                   },
@@ -1067,16 +1058,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserWhoAdded",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserWhoAdded"
                       },
                       {
-                        "columnName": "UserWhoAddedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "UserWhoAddedAccountName"
                       },
                       {
-                        "columnName": "UserWhoAddedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UserWhoAddedAccountUPNSuffix"
                       }
                     ]
                   },
@@ -1084,16 +1075,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserWhoDeleted",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserWhoDeleted"
                       },
                       {
-                        "columnName": "UserWhoDeletedAccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "UserWhoDeletedAccountName"
                       },
                       {
-                        "columnName": "UserWhoDeletedAccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UserWhoDeletedAccountUPNSuffix"
                       }
                     ]
                   },
@@ -1101,8 +1092,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   }
@@ -1177,7 +1168,7 @@
                 "description": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts.",
                 "displayName": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule",
                 "enabled": false,
-                "query": "// OfficeActivity Query\nlet officeActivityQuery = OfficeActivity\n  | where OfficeWorkload == \"Exchange\"\n  | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n  | mv-apply DynamicParameters = todynamic(Parameters) on (\n      summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n    )\n  | extend RuleName = case(\n      Operation =~ \"Set-TransportRule\", OfficeObjectId,\n      Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n      \"Unknown\"\n    )\n  | mv-expand ExpandedParameters = todynamic(Parameters)\n  | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n  | extend RedirectTo = ExpandedParameters.Value\n  | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P<Port>\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n  | extend From = ParsedParameters.From\n  | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\n  | extend AccountName = tostring(split(UserId, \"@\")[0]),\n           AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// EnrichedMicrosoft365AuditLogs Query\nlet enrichedLogsQuery = EnrichedMicrosoft365AuditLogs\n  | where Workload == \"Exchange\"\n  | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n  | extend AdditionalProps = parse_json(AdditionalProperties)\n  | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (\n      summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n    )\n  | extend RuleName = case(\n      Operation =~ \"Set-TransportRule\", ObjectId,\n      Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n      \"Unknown\"\n    )\n  | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)\n  | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n  | extend RedirectTo = ExpandedParameters.Value\n  | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P<Port>\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n  | extend From = ParsedParameters.From\n  | extend UserAgent = tostring(AdditionalProps.UserAgent)\n  | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProps.Parameters), UserAgent\n  | extend AccountName = tostring(split(UserId, \"@\")[0]),\n           AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// Combine both queries\nunion isfuzzy=true officeActivityQuery, enrichedLogsQuery\n| summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo\n| project TimeGenerated, RedirectTo, IPAddress, Port, UserId, From, Operation, RuleName, Parameters, AccountName, AccountUPNSuffix\n| order by TimeGenerated desc;\n",
+                "query": "// OfficeActivity Query\nlet officeActivityQuery = OfficeActivity\n    | where OfficeWorkload == \"Exchange\"\n    | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n    | mv-apply DynamicParameters = todynamic(Parameters) on (\n        summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n    )\n    | extend RuleName = case(\n        Operation =~ \"Set-TransportRule\", OfficeObjectId,\n        Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n        \"Unknown\"\n    )\n    | mv-expand ExpandedParameters = todynamic(Parameters)\n    | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n    | extend RedirectTo = tostring(ExpandedParameters.Value)  // Cast to string\n    | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P<Port>\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n    | extend From = ParsedParameters.From\n    | project\n        TimeGenerated,\n        RedirectTo,\n        IPAddress = tostring(ClientIPValues[0]),\n        Port = tostring(ClientIPValues[1]),\n        UserId,\n        From,\n        Operation,\n        RuleName,\n        Parameters\n    | extend\n        AccountName = tostring(split(UserId, \"@\")[0]),\n        AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n    // EnrichedMicrosoft365AuditLogs Query\n    let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs\n    | where Workload == \"Exchange\"\n    | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n    | extend AdditionalProps = parse_json(AdditionalProperties)\n    | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (\n        summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n    )\n    | extend RuleName = case(\n        Operation =~ \"Set-TransportRule\", ObjectId,\n        Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n        \"Unknown\"\n    )\n    | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)\n    | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n    | extend RedirectTo = tostring(ExpandedParameters.Value)  // Cast to string\n    | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P<Port>\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n    | extend From = ParsedParameters.From\n    | extend UserAgent = tostring(AdditionalProps.UserAgent)\n    | project\n        TimeGenerated,\n        RedirectTo,\n        IPAddress = tostring(ClientIPValues[0]),\n        Port = tostring(ClientIPValues[1]),\n        UserId,\n        From,\n        Operation,\n        RuleName,\n        Parameters = tostring(AdditionalProps.Parameters),\n        UserAgent\n    | extend\n        AccountName = tostring(split(UserId, \"@\")[0]),\n        AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n    // Combine both queries\n    union isfuzzy=true officeActivityQuery, enrichedLogsQuery\n    | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo\n    | project\n        TimeGenerated,\n        RedirectTo,\n        IPAddress,\n        Port,\n        UserId,\n        From,\n        Operation,\n        RuleName,\n        Parameters,\n        AccountName,\n        AccountUPNSuffix\n        | order by TimeGenerated desc\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1188,16 +1179,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Exchange)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   },
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1213,16 +1204,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -1230,8 +1221,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPAddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPAddress"
                       }
                     ]
                   }
@@ -1317,16 +1308,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Exchange)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1342,16 +1333,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -1359,8 +1350,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIPAddress",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIPAddress"
                       }
                     ]
                   }
@@ -1446,16 +1437,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Teams)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1470,16 +1461,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   }
@@ -1565,16 +1556,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Exchange)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1590,16 +1581,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -1607,8 +1598,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   }
@@ -1694,16 +1685,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (Exchange)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1719,16 +1710,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -1736,8 +1727,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   }
@@ -1823,16 +1814,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (SharePoint)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1848,16 +1839,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -1865,8 +1856,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   },
@@ -1874,8 +1865,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "Site_Url",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "Site_Url"
                       }
                     ]
                   },
@@ -1883,8 +1874,8 @@
                     "entityType": "File",
                     "fieldMappings": [
                       {
-                        "columnName": "FileNames",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "FileNames"
                       }
                     ]
                   }
@@ -1970,16 +1961,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1995,16 +1986,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -2012,8 +2003,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIPOnly",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIPOnly"
                       }
                     ]
                   }
@@ -2099,16 +2090,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (SharePoint)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2122,16 +2113,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -2139,8 +2130,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   },
@@ -2148,8 +2139,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "Site_Url",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "Site_Url"
                       }
                     ]
                   }
@@ -2235,16 +2226,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (SharePoint)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2258,16 +2249,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "UserIdName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "UserIdName"
                       },
                       {
-                        "columnName": "UserIdUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "UserIdUPNSuffix"
                       }
                     ]
                   },
@@ -2275,8 +2266,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   },
@@ -2284,8 +2275,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "Site_Url",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "Site_Url"
                       }
                     ]
                   }
@@ -2371,16 +2362,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (SharePoint)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2394,16 +2385,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -2411,8 +2402,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   },
@@ -2420,8 +2411,8 @@
                     "entityType": "File",
                     "fieldMappings": [
                       {
-                        "columnName": "FileSample",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "FileSample"
                       }
                     ]
                   }
@@ -2431,16 +2422,16 @@
                   "FilesList": "fileslist"
                 },
                 "incidentConfiguration": {
+                  "createIncident": true,
                   "groupingConfiguration": {
                     "reopenClosedIncident": false,
-                    "enabled": true,
-                    "lookbackDuration": "PT5H",
                     "matchingMethod": "Selected",
+                    "lookbackDuration": "PT5H",
                     "groupByEntities": [
                       "Account"
-                    ]
-                  },
-                  "createIncident": true
+                    ],
+                    "enabled": true
+                  }
                 }
               }
             },
@@ -2523,16 +2514,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   },
                   {
+                    "connectorId": "Office365",
                     "dataTypes": [
                       "OfficeActivity (SharePoint)"
-                    ],
-                    "connectorId": "Office365"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2546,16 +2537,16 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "UserId",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "UserId"
                       },
                       {
-                        "columnName": "AccountName",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "AccountName"
                       },
                       {
-                        "columnName": "AccountUPNSuffix",
-                        "identifier": "UPNSuffix"
+                        "identifier": "UPNSuffix",
+                        "columnName": "AccountUPNSuffix"
                       }
                     ]
                   },
@@ -2563,8 +2554,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "ClientIP",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
                     ]
                   },
@@ -2572,8 +2563,8 @@
                     "entityType": "File",
                     "fieldMappings": [
                       {
-                        "columnName": "FileSample",
-                        "identifier": "Name"
+                        "identifier": "Name",
+                        "columnName": "FileSample"
                       }
                     ]
                   }
@@ -2583,16 +2574,16 @@
                   "FilesList": "fileslist"
                 },
                 "incidentConfiguration": {
+                  "createIncident": true,
                   "groupingConfiguration": {
                     "reopenClosedIncident": false,
-                    "enabled": true,
-                    "lookbackDuration": "PT5H",
                     "matchingMethod": "Selected",
+                    "lookbackDuration": "PT5H",
                     "groupByEntities": [
                       "Account"
-                    ]
-                  },
-                  "createIncident": true
+                    ],
+                    "enabled": true
+                  }
                 }
               }
             },
@@ -2662,7 +2653,7 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.",
-                "displayName": "Detect Abnormal Deny Rate for Source to Destination IP",
+                "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP",
                 "enabled": false,
                 "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n  | where Action == 'Denied'\n  | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n  | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n  | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n  | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n  | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n  | where TimeGenerated between (ago(1h) .. now())\n  | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n  | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n  | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n  | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n  | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold    \n",
                 "queryFrequency": "PT1H",
@@ -2675,10 +2666,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "NetworkAccessTrafficLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2691,8 +2682,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "SourceIp",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "SourceIp"
                       }
                     ]
                   },
@@ -2700,8 +2691,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "DestinationIp",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "DestinationIp"
                       }
                     ]
                   }
@@ -2744,7 +2735,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Detect Abnormal Deny Rate for Source to Destination IP",
+        "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP",
         "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
         "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
         "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
@@ -2774,7 +2765,7 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.",
-                "displayName": "Detect Protocol Changes for Destination Ports",
+                "displayName": "GSA - Detect Protocol Changes for Destination Ports",
                 "enabled": false,
                 "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n  | where isnotempty(DestinationPort)\n  | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (EndRunTime .. now())\n  | where isnotempty(DestinationPort)\n  | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n  | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n  | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n  | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n  | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n",
                 "queryFrequency": "PT1H",
@@ -2787,10 +2778,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2803,8 +2794,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
                     ]
                   },
@@ -2812,8 +2803,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "FqdnCustomEntity",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "FqdnCustomEntity"
                       }
                     ]
                   }
@@ -2856,7 +2847,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Detect Protocol Changes for Destination Ports",
+        "displayName": "GSA - Detect Protocol Changes for Destination Ports",
         "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
         "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
         "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
@@ -2886,9 +2877,9 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.",
-                "displayName": "Detect Source IP Scanning Multiple Open Ports",
+                "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports",
                 "enabled": false,
-                "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated\n",
+                "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
                 "severity": "Medium",
@@ -2899,10 +2890,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "EnrichedMicrosoft365AuditLogs"
-                    ],
-                    "connectorId": "AzureActiveDirectory"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2916,8 +2907,8 @@
                     "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "SourceIp",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "SourceIp"
                       }
                     ]
                   },
@@ -2925,8 +2916,8 @@
                     "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "columnName": "Fqdn",
-                        "identifier": "Url"
+                        "identifier": "Url",
+                        "columnName": "DestinationFqdn"
                       }
                     ]
                   }
@@ -2969,7 +2960,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Detect Source IP Scanning Multiple Open Ports",
+        "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports",
         "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
         "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
         "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
@@ -3000,7 +2991,7 @@
                 "eTag": "*",
                 "displayName": "GSA Enriched Office 365 - Anomalous access to other users' mailboxes",
                 "category": "Hunting Queries",
-                "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet lookback = totimespan((endtime - starttime) * 2);\nlet user_threshold = 1;    // Threshold for number of mailboxes accessed\nlet folder_threshold = 5;  // Threshold for number of mailbox folders accessed\n// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n    | where TimeGenerated between (ago(lookback)..starttime)\n    | where Operation =~ \"MailItemsAccessed\"\n    | where ResultStatus =~ \"Succeeded\"\n    | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    | join kind=rightanti (\n        OfficeActivity\n        | where TimeGenerated between (starttime..endtime)\n        | where Operation =~ \"MailItemsAccessed\"\n        | where ResultStatus =~ \"Succeeded\"\n        | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    ) on MailboxOwnerUPN, UserId\n    | where isnotempty(Folders)\n    | mv-expand parse_json(Folders)\n    | extend folders = tostring(Folders.Path)\n    | extend ClientIP = iif(Client_IPAddress startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, Client_IPAddress), Client_IPAddress)\n    | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId\n    | extend folder_count = array_length(set_folders)\n    | extend user_count = array_length(set_MailboxGuid)\n    | where user_count > user_threshold or folder_count > folder_threshold\n    | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\", folder_count > folder_threshold and user_count < user_threshold, \"Folder Count Threshold Exceeded\", \"User Threshold Exceeded\")\n    | sort by user_count desc\n    | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n    | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n    | extend Account_0_Name = AccountName\n    | extend Account_0_UPNSuffix = AccountUPNSuffix;\n// EnrichedMicrosoft365AuditLogs Query\nlet EnrichedEvents = EnrichedMicrosoft365AuditLogs\n    | where TimeGenerated between (ago(lookback)..starttime)\n    | where Operation =~ \"MailItemsAccessed\"\n    | where ResultStatus =~ \"Succeeded\"\n    | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n    | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    | join kind=rightanti (\n        EnrichedMicrosoft365AuditLogs\n        | where TimeGenerated between (starttime..endtime)\n        | where Operation =~ \"MailItemsAccessed\"\n        | where ResultStatus =~ \"Succeeded\"\n        | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n        | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    ) on MailboxOwnerUPN, UserId\n    | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))\n    | mv-expand Folders = parse_json(AdditionalProperties).Folders\n    | extend folders = tostring(Folders.Path)\n    | extend ClientIP = iif(ClientIp startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, ClientIp), ClientIp)\n    | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)\n    | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)\n    | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId\n    | extend folder_count = array_length(set_folders)\n    | extend user_count = array_length(set_MailboxGuid)\n    | where user_count > user_threshold or folder_count > folder_threshold\n    | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\", folder_count > folder_threshold and user_count < user_threshold, \"Folder Count Threshold Exceeded\", \"User Threshold Exceeded\")\n    | sort by user_count desc\n    | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n    | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n    | extend Account_0_Name = AccountName\n    | extend Account_0_UPNSuffix = AccountUPNSuffix;\n// Combine Office and Enriched Logs\nlet CombinedEvents = OfficeEvents\n    | union EnrichedEvents\n    | summarize arg_min(StartTime, *) by UserId, ClientIP;\n// Final Output\nCombinedEvents\n    | project UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders, AccountName, AccountUPNSuffix\n    | order by user_count desc\n",
+                "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet lookback = totimespan((endtime - starttime) * 2);\nlet user_threshold = 1;    // Threshold for number of mailboxes accessed\nlet folder_threshold = 5;  // Threshold for number of mailbox folders accessed\n// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n    | where TimeGenerated between (ago(lookback)..starttime)\n    | where Operation =~ \"MailItemsAccessed\"\n    | where ResultStatus =~ \"Succeeded\"\n    | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    | join kind=rightanti (\n        OfficeActivity\n        | where TimeGenerated between (starttime..endtime)\n        | where Operation =~ \"MailItemsAccessed\"\n        | where ResultStatus =~ \"Succeeded\"\n        | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    ) on MailboxOwnerUPN, UserId\n    | where isnotempty(Folders)\n    | mv-expand ParsedFolders = parse_json(Folders)\n    | extend folders = tostring(ParsedFolders.Path)\n    | extend ClientIP = iif(Client_IPAddress startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, Client_IPAddress), Client_IPAddress)\n    | summarize \n        StartTime = max(TimeGenerated), \n        EndTime = min(TimeGenerated), \n        set_folders = make_set(folders, 100000), \n        set_ClientInfoString = make_set(ClientInfoString, 100000), \n        set_ClientIP = make_set(ClientIP, 100000), \n        set_MailboxGuid = make_set(MailboxGuid, 100000), \n        set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) \n      by UserId\n    | extend \n        folder_count = array_length(set_folders),\n        user_count = array_length(set_MailboxGuid)\n    | where user_count > user_threshold or folder_count > folder_threshold\n    | extend Reason = case(\n        user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\",\n        folder_count > folder_threshold and user_count <= user_threshold, \"Folder Count Threshold Exceeded\",\n        \"User Threshold Exceeded\")\n    | sort by user_count desc\n    | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n    | extend \n        AccountName = tostring(split(UserId, \"@\")[0]), \n        AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n    // EnrichedMicrosoft365AuditLogs Query\n    let EnrichedEvents = EnrichedMicrosoft365AuditLogs\n    | where TimeGenerated between (ago(lookback)..starttime)\n    | where Operation =~ \"MailItemsAccessed\"\n    | where ResultStatus =~ \"Succeeded\"\n    | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n    | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    | join kind=rightanti (\n        EnrichedMicrosoft365AuditLogs\n        | where TimeGenerated between (starttime..endtime)\n        | where Operation =~ \"MailItemsAccessed\"\n        | where ResultStatus =~ \"Succeeded\"\n        | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n        | where tolower(MailboxOwnerUPN) != tolower(UserId)\n    ) on MailboxOwnerUPN, UserId\n    | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))\n    | mv-expand ParsedFolders = parse_json(AdditionalProperties).Folders\n    | extend folders = tostring(ParsedFolders.Path)\n    | extend ClientIP = iif(ClientIp startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, ClientIp), ClientIp)\n    | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)\n    | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)\n    | summarize \n        StartTime = max(TimeGenerated), \n        EndTime = min(TimeGenerated), \n        set_folders = make_set(folders, 100000), \n        set_ClientInfoString = make_set(ClientInfoString, 100000), \n        set_ClientIP = make_set(ClientIP, 100000), \n        set_MailboxGuid = make_set(MailboxGuid, 100000), \n        set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) \n      by UserId\n    | extend \n        folder_count = array_length(set_folders),\n        user_count = array_length(set_MailboxGuid)\n    | where user_count > user_threshold or folder_count > folder_threshold\n    | extend Reason = case(\n        user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\",\n        folder_count > folder_threshold and user_count <= user_threshold, \"Folder Count Threshold Exceeded\",\n        \"User Threshold Exceeded\")\n    | sort by user_count desc\n    | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n    | extend \n        AccountName = tostring(split(UserId, \"@\")[0]), \n        AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n    // Combine Office and Enriched Logs\n    let CombinedEvents = OfficeEvents\n        | union EnrichedEvents\n        | mv-expand ClientIP = set_ClientIP  // Expand the set_ClientIP into individual ClientIP rows\n        | extend ClientIP = tostring(ClientIP)  // Explicitly cast ClientIP to string\n        | summarize arg_min(StartTime, *) by UserId, ClientIP\n        // Define AccountName and AccountUPNSuffix after summarize to ensure they're available\n        | extend \n            AccountName = tostring(split(UserId, \"@\")[0]), \n            AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n    // Final Output\n    CombinedEvents\n        | project \n            UserId, \n            user_count, \n            folder_count, \n            set_MailboxOwnerUPN, \n            set_ClientIP, \n            set_ClientInfoString, \n            set_folders, \n            AccountName, \n            AccountUPNSuffix\n        | order by user_count desc\n",
                 "version": 2,
                 "tags": [
                   {
@@ -3055,9 +3046,9 @@
         "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
         "contentKind": "HuntingQuery",
         "displayName": "GSA Enriched Office 365 - Anomalous access to other users' mailboxes",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]",
-        "version": "2.0.2"
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.3')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.3')))]",
+        "version": "2.0.3"
       }
     },
     {
diff --git a/Solutions/Global Secure Access/Package/testParameters.json b/Solutions/Global Secure Access/Package/testParameters.json
index 8dd674f5956..1025a867a83 100644
--- a/Solutions/Global Secure Access/Package/testParameters.json	
+++ b/Solutions/Global Secure Access/Package/testParameters.json	
@@ -23,7 +23,7 @@
   },
   "workbook1-name": {
     "type": "string",
-    "defaultValue": "Microsoft Global Secure Access Enriched M365 Logs",
+    "defaultValue": "Enriched Microsoft 365 logs Workbook",
     "minLength": 1,
     "metadata": {
       "description": "Name for the workbook"
@@ -31,7 +31,7 @@
   },
   "workbook2-name": {
     "type": "string",
-    "defaultValue": "Microsoft Global Secure Access Traffic Logs",
+    "defaultValue": "Network Traffic Insights",
     "minLength": 1,
     "metadata": {
       "description": "Name for the workbook"
diff --git a/Solutions/Global Secure Access/ReleaseNotes.md b/Solutions/Global Secure Access/ReleaseNotes.md
index c865104afe2..2d7b29dd6cf 100644
--- a/Solutions/Global Secure Access/ReleaseNotes.md	
+++ b/Solutions/Global Secure Access/ReleaseNotes.md	
@@ -1,3 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                       |
 |-------------|--------------------------------|------------------------------------------------------------------------------------------|
+| 3.0.0       | 28-10-2024  				   | Fixing queries to combine events                                                         |
 | 3.0.0       | 05-09-2024                     | Initial Solution release								                                  |
+
+
diff --git a/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json b/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json
index 6c4c8225206..8ff99236e9e 100644
--- a/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json
+++ b/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json
@@ -4,7 +4,7 @@
 	"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Imperva_DarkGrey_final_75x75.svg\" width=\"75px\" height=\"75px\">",
 	"Description": "[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
 	"Parsers": [
-		"Parsers/ImpervaWAFCloud"
+		"Parsers/ImpervaWAFCloud.yaml"
 	],
 	"Data Connectors": [
 		"Data Connectors/ImpervaWAFCloud_FunctionApp.json"
diff --git a/Solutions/ImpervaCloudWAF/Package/3.0.1.zip b/Solutions/ImpervaCloudWAF/Package/3.0.1.zip
new file mode 100644
index 00000000000..44c397b614b
Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Package/3.0.1.zip differ
diff --git a/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json b/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json
index ea6900986a5..cdeac76e1c4 100644
--- a/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json
+++ b/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Imperva_DarkGrey_final_75x75.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Imperva_DarkGrey_final_75x75.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/ImpervaCloudWAF/Package/mainTemplate.json b/Solutions/ImpervaCloudWAF/Package/mainTemplate.json
index d01698538bc..a21da366da1 100644
--- a/Solutions/ImpervaCloudWAF/Package/mainTemplate.json
+++ b/Solutions/ImpervaCloudWAF/Package/mainTemplate.json
@@ -41,9 +41,16 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "ImpervaCloudWAF",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.0.1",
     "solutionId": "azuresentinel.azure-sentinel-solution-impervawafcloud",
     "_solutionId": "[variables('solutionId')]",
+    "parserObject1": {
+      "_parserName1": "[concat(parameters('workspace'),'/','ImpervaWAFCloud')]",
+      "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]",
+      "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ImpervaWAFCloud-Parser')))]",
+      "parserVersion1": "1.0.0",
+      "parserContentId1": "ImpervaWAFCloud-Parser"
+    },
     "uiConfigId1": "ImpervaWAFCloudAPI",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "ImpervaWAFCloudAPI",
@@ -183,6 +190,138 @@
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserObject1').parserTemplateSpecName1]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ImpervaWAFCloud Data Parser with template version 3.0.1",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('parserObject1').parserVersion1]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[variables('parserObject1')._parserName1]",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Parser for ImpervaWAFCloud",
+                "category": "Microsoft Sentinel Parser",
+                "functionAlias": "ImpervaWAFCloud",
+                "query": "ImpervaWAFCloud_CL \n| extend    EventVendor = EventVendor_s,\n            EventProduct = EventProduct_s,\n            EventType = EventType_s,\n            EventSeverity = column_ifexists('severity_s', ''),\n            DvcAction = column_ifexists('act_s', ''),\n            NetworkApplicationProtocol = column_ifexists('app_s', ''),\n            Country = column_ifexists('ccode_s', ''),\n            City = column_ifexists('cicode_s', ''),\n            HttpStatusCode = column_ifexists('cn1_s', ''),\n            SrcPortNumber = column_ifexists('cpt_s', ''),\n            AccountName = column_ifexists('Customer_s', ''),\n            RequestId = column_ifexists('deviceExternalId_s', ''),\n            PoPName = column_ifexists('deviceFacility_s', ''),\n            BrowserType = column_ifexists('dproc_s', ''),\n            EventEndTime = column_ifexists('end_s', ''),\n            NetworkSessionId = column_ifexists('fileId_s', ''),\n            PostBody = column_ifexists('postbody_s', ''),\n            QueryString = column_ifexists('qstr_s', ''),\n            UrlOriginal = column_ifexists('request_s', ''),\n            HttpUserAgentOriginal = column_ifexists('requestClientApplication_s', ''),\n            HttpRequestMethod = column_ifexists('requestMethod_s', ''),\n            DstIpAddr = column_ifexists('sip_s', ''),\n            SiteID = column_ifexists('siteid_s', ''),\n            DstDomainHostname = column_ifexists('sourceServiceName_s', ''),\n            DstPortNumber = column_ifexists('spt_s', ''),\n            SrcIpAddr = column_ifexists('src_s', ''),\n            EventStartTime = column_ifexists('start_s', ''),\n            AccountID = column_ifexists('suid_s', ''),\n            NetworkApplicationProtocoVersion = column_ifexists('ver_s', ''),\n            HttpRequestXff = column_ifexists('xff_s', ''),\n            CaptchaSupport = column_ifexists('CapSupport_s', ''),\n            ClientApp = column_ifexists('clapp_s', ''),\n            ClientAppSig = column_ifexists('clappsig_s', ''),\n            CookiesSupport = column_ifexists('COSupport_s', ''),\n            SrcGeoLatitude = column_ifexists('latitude_s', ''),\n            SrcGeoLongitude = column_ifexists('longitude_s', ''),\n            VisitorID = column_ifexists('VID_g', '')\n| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID\n",
+                "functionParameters": "",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": ""
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+              "dependsOn": [
+                "[variables('parserObject1')._parserId1]"
+              ],
+              "properties": {
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]",
+                "contentId": "[variables('parserObject1').parserContentId1]",
+                "kind": "Parser",
+                "version": "[variables('parserObject1').parserVersion1]",
+                "source": {
+                  "name": "ImpervaCloudWAF",
+                  "kind": "Solution",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('parserObject1').parserContentId1]",
+        "contentKind": "Parser",
+        "displayName": "Parser for ImpervaWAFCloud",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+        "version": "[variables('parserObject1').parserVersion1]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2022-10-01",
+      "name": "[variables('parserObject1')._parserName1]",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "eTag": "*",
+        "displayName": "Parser for ImpervaWAFCloud",
+        "category": "Microsoft Sentinel Parser",
+        "functionAlias": "ImpervaWAFCloud",
+        "query": "ImpervaWAFCloud_CL \n| extend    EventVendor = EventVendor_s,\n            EventProduct = EventProduct_s,\n            EventType = EventType_s,\n            EventSeverity = column_ifexists('severity_s', ''),\n            DvcAction = column_ifexists('act_s', ''),\n            NetworkApplicationProtocol = column_ifexists('app_s', ''),\n            Country = column_ifexists('ccode_s', ''),\n            City = column_ifexists('cicode_s', ''),\n            HttpStatusCode = column_ifexists('cn1_s', ''),\n            SrcPortNumber = column_ifexists('cpt_s', ''),\n            AccountName = column_ifexists('Customer_s', ''),\n            RequestId = column_ifexists('deviceExternalId_s', ''),\n            PoPName = column_ifexists('deviceFacility_s', ''),\n            BrowserType = column_ifexists('dproc_s', ''),\n            EventEndTime = column_ifexists('end_s', ''),\n            NetworkSessionId = column_ifexists('fileId_s', ''),\n            PostBody = column_ifexists('postbody_s', ''),\n            QueryString = column_ifexists('qstr_s', ''),\n            UrlOriginal = column_ifexists('request_s', ''),\n            HttpUserAgentOriginal = column_ifexists('requestClientApplication_s', ''),\n            HttpRequestMethod = column_ifexists('requestMethod_s', ''),\n            DstIpAddr = column_ifexists('sip_s', ''),\n            SiteID = column_ifexists('siteid_s', ''),\n            DstDomainHostname = column_ifexists('sourceServiceName_s', ''),\n            DstPortNumber = column_ifexists('spt_s', ''),\n            SrcIpAddr = column_ifexists('src_s', ''),\n            EventStartTime = column_ifexists('start_s', ''),\n            AccountID = column_ifexists('suid_s', ''),\n            NetworkApplicationProtocoVersion = column_ifexists('ver_s', ''),\n            HttpRequestXff = column_ifexists('xff_s', ''),\n            CaptchaSupport = column_ifexists('CapSupport_s', ''),\n            ClientApp = column_ifexists('clapp_s', ''),\n            ClientAppSig = column_ifexists('clappsig_s', ''),\n            CookiesSupport = column_ifexists('COSupport_s', ''),\n            SrcGeoLatitude = column_ifexists('latitude_s', ''),\n            SrcGeoLongitude = column_ifexists('longitude_s', ''),\n            VisitorID = column_ifexists('VID_g', '')\n| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID\n",
+        "functionParameters": "",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": ""
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2022-01-01-preview",
+      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+      "dependsOn": [
+        "[variables('parserObject1')._parserId1]"
+      ],
+      "properties": {
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]",
+        "contentId": "[variables('parserObject1').parserContentId1]",
+        "kind": "Parser",
+        "version": "[variables('parserObject1').parserVersion1]",
+        "source": {
+          "kind": "Solution",
+          "name": "ImpervaCloudWAF",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        }
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -192,7 +331,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaCloudWAF data connector with template version 3.0.0",
+        "description": "ImpervaCloudWAF data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -543,7 +682,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaAbnormalProtocolUsage_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaAbnormalProtocolUsage_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -648,7 +787,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaAdminPanelUncommonIp_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaAdminPanelUncommonIp_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -753,7 +892,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaAttackNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaAttackNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -858,7 +997,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaCommandInUri_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaCommandInUri_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -963,7 +1102,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1068,7 +1207,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaForbiddenMethod_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaForbiddenMethod_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1182,7 +1321,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaMaliciousClient_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaMaliciousClient_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1296,7 +1435,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaMaliciousUA_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaMaliciousUA_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1401,7 +1540,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaMultipleUAsSource_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaMultipleUAsSource_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1506,7 +1645,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaSuspiciousDstPort_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ImpervaSuspiciousDstPort_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1611,7 +1750,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaDestinationBlocked_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaDestinationBlocked_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1696,7 +1835,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaInsecureWebProtocolVersion_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaInsecureWebProtocolVersion_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1781,7 +1920,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaNonWebApplication_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaNonWebApplication_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1866,7 +2005,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaRareApplications_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaRareApplications_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1951,7 +2090,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaRareClientApplications_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaRareClientApplications_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -2036,7 +2175,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaRareDstPorts_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaRareDstPorts_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2121,7 +2260,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaRequestsFromBots_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaRequestsFromBots_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2206,7 +2345,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaSourceBlocked_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaSourceBlocked_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2291,7 +2430,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaTopApplicationsErrors_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaTopApplicationsErrors_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2376,7 +2515,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpervaTopSourcesErrors_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ImpervaTopSourcesErrors_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -2461,7 +2600,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Imperva WAF Cloud Overview Workbook with template version 3.0.0",
+        "description": "Imperva WAF Cloud Overview Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -2545,12 +2684,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "ImpervaCloudWAF",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/\">Imperva Cloud WAF</a> offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n</li>\n<li><p><a href=\"https://azure.microsoft.com/services/functions/#overview\">Azure Functions</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/\">Imperva Cloud WAF</a> offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n</li>\n<li><p><a href=\"https://azure.microsoft.com/services/functions/#overview\">Azure Functions</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -2575,6 +2714,11 @@
         "dependencies": {
           "operator": "AND",
           "criteria": [
+            {
+              "kind": "Parser",
+              "contentId": "[variables('parserObject1').parserContentId1]",
+              "version": "[variables('parserObject1').parserVersion1]"
+            },
             {
               "kind": "DataConnector",
               "contentId": "[variables('_dataConnectorContentId1')]",
diff --git a/Solutions/ImpervaCloudWAF/ReleaseNotes.md b/Solutions/ImpervaCloudWAF/ReleaseNotes.md
index 739be150f86..8b6db5c2c71 100644
--- a/Solutions/ImpervaCloudWAF/ReleaseNotes.md
+++ b/Solutions/ImpervaCloudWAF/ReleaseNotes.md
@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                               |
 |-------------|--------------------------------|------------------------------------------------- |  
+| 3.0.1       | 07-11-2024                     |  Added existing ***Parser* into the solution     | 
 | 3.0.0       | 22-08-2024                     |  Updated the python runtime version to **3.11**  | 
diff --git a/Solutions/Infoblox/Package/3.0.1.zip b/Solutions/Infoblox/Package/3.0.1.zip
new file mode 100644
index 00000000000..7b774da6e92
Binary files /dev/null and b/Solutions/Infoblox/Package/3.0.1.zip differ
diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json
index 8e30123920f..efdba304cc8 100644
--- a/Solutions/Infoblox/Package/mainTemplate.json
+++ b/Solutions/Infoblox/Package/mainTemplate.json
@@ -47,7 +47,7 @@
   },
   "variables": {
     "_solutionName": "Infoblox",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.0.1",
     "solutionId": "infoblox.infoblox-app-for-microsoft-sentinel",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "InfobloxDataConnector",
@@ -316,7 +316,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1307,7 +1307,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1734,7 +1734,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion3')]",
@@ -2099,7 +2099,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion4')]",
@@ -2542,7 +2542,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox data connector with template version 3.0.0",
+        "description": "Infoblox data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion5')]",
@@ -2949,7 +2949,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.0",
+        "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -3107,7 +3107,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox_Workbook Workbook with template version 3.0.0",
+        "description": "Infoblox_Workbook Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -3125,7 +3125,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n  and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n    InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n         LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n         Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"INFO\\\"},\\r\\n    { \\\"value\\\":\\\"LOW\\\"},\\r\\n    { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n    { \\\"value\\\":\\\"HIGH\\\"},\\r\\n     { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n    (InfobloxInsight\\r\\n    | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n    ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n    SecurityAlert\\r\\n    | extend AlertEntities = parse_json(Entities)\\r\\n    //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title,  Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' ==  \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' ==  \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the  Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"66b112e0-3187-4faa-9357-d229e98002ca\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| join\\r\\n    (\\r\\n        AssetCount\\r\\n    ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n    ThreatLevel == \\\"High\\\", 5,\\r\\n    ThreatLevel == \\\"Medium\\\", 4,\\r\\n    ThreatLevel == \\\"Low\\\", 3,\\r\\n    ThreatLevel == \\\"N/A\\\", 2,\\r\\n    1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct  CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n</br>\\r\\n</br>\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n  \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n  InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n   InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User,  ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n    and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n    and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n  and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n    and DeviceProduct == \\\"Data Connector\\\" \\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n    InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count  = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n  InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n    Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n    InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n    and DeviceVendor == \\\"Infoblox\\\"\\r\\n    and DeviceProduct == \\\"Data Connector\\\"\\r\\n    and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n    and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n         LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n         Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    { \\\"value\\\":\\\"N/A\\\"},\\r\\n    { \\\"value\\\":\\\"INFO\\\"},\\r\\n    { \\\"value\\\":\\\"LOW\\\"},\\r\\n    { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n    { \\\"value\\\":\\\"HIGH\\\"},\\r\\n     { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n    (InfobloxInsight\\r\\n    | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n    ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n    SecurityAlert\\r\\n    | extend AlertEntities = parse_json(Entities)\\r\\n    //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title,  Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' ==  \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' ==  \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the  Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \\\"All\\\"\\r\\n| join\\r\\n    (\\r\\n        AssetCount\\r\\n    ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n    ThreatLevel == \\\"High\\\", 5,\\r\\n    ThreatLevel == \\\"Medium\\\", 4,\\r\\n    ThreatLevel == \\\"Low\\\", 3,\\r\\n    ThreatLevel == \\\"N/A\\\", 2,\\r\\n    1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n    InfobloxInsightAssets\\r\\n    | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct  CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.</br>\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n</br>\\r\\n</br>\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n  \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n    | where TimeGenerated < now()\\r\\n    | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n    | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n    | mvexpand(Entities)\\r\\n    | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n                      iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n                      iif(isnotempty(Entities.Url), Entities.Url,\\r\\n                      iif(isnotempty(Entities.Value), Entities.Value,\\r\\n                      iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n    | where isnotempty(entity) \\r\\n    | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n    | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n    | mv-expand AlertIds\\r\\n    | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n    | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n    | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -3257,7 +3257,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3285,10 +3285,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_API",
                     "dataTypes": [
                       "InfobloxInsight"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_API"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -3300,15 +3300,16 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "SecurityGroup",
                     "fieldMappings": [
                       {
                         "columnName": "InfobloxInsightID",
                         "identifier": "ObjectGuid"
                       }
-                    ],
-                    "entityType": "SecurityGroup"
+                    ]
                   },
                   {
+                    "entityType": "Malware",
                     "fieldMappings": [
                       {
                         "columnName": "ThreatClass",
@@ -3318,30 +3319,29 @@
                         "columnName": "ThreatProperty",
                         "identifier": "Category"
                       }
-                    ],
-                    "entityType": "Malware"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
                   "aggregationKind": "AlertPerResult"
                 },
                 "customDetails": {
-                  "Status": "Status",
-                  "Severity": "Priority",
-                  "PersistentDate": "PersistentDate",
+                  "UnblockedHits": "NotBlockedCount",
                   "BlockedHits": "BlockedCount",
+                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
+                  "Severity": "Priority",
                   "FirstSeen": "FirstSeen",
+                  "TotalHits": "EventsCount",
                   "SpreadingDate": "SpreadingDate",
                   "LastSeen": "LastSeen",
                   "FeedSource": "FeedSource",
-                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
-                  "TotalHits": "EventsCount",
-                  "UnblockedHits": "NotBlockedCount"
+                  "PersistentDate": "PersistentDate",
+                  "Status": "Status"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}",
                   "alertSeverityColumnName": "IncidentSeverity",
-                  "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}"
+                  "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}",
+                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}"
                 },
                 "incidentConfiguration": {
                   "createIncident": true
@@ -3397,7 +3397,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3425,16 +3425,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_Legacy",
                     "dataTypes": [
                       "CommonSecurityLog (InfobloxCDC_SOCInsights)"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_Legacy"
+                    ]
                   },
                   {
+                    "connectorId": "InfobloxSOCInsightsDataConnector_AMA",
                     "dataTypes": [
                       "CommonSecurityLog (InfobloxCDC_SOCInsights)"
-                    ],
-                    "connectorId": "InfobloxSOCInsightsDataConnector_AMA"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -3446,15 +3446,16 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "SecurityGroup",
                     "fieldMappings": [
                       {
                         "columnName": "InfobloxInsightID",
                         "identifier": "ObjectGuid"
                       }
-                    ],
-                    "entityType": "SecurityGroup"
+                    ]
                   },
                   {
+                    "entityType": "Malware",
                     "fieldMappings": [
                       {
                         "columnName": "ThreatClass",
@@ -3464,25 +3465,24 @@
                         "columnName": "ThreatProperty",
                         "identifier": "Category"
                       }
-                    ],
-                    "entityType": "Malware"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
                   "aggregationKind": "AlertPerResult"
                 },
                 "customDetails": {
-                  "Status": "Status",
-                  "UnblockedHits": "NotBlockedCount",
                   "BlockedHits": "BlockedCount",
+                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]",
+                  "Status": "Status",
                   "TotalHits": "EventsCount",
                   "FeedSource": "FeedSource",
-                  "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]"
+                  "UnblockedHits": "NotBlockedCount"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}",
                   "alertSeverityColumnName": "IncidentSeverity",
-                  "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}"
+                  "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}",
+                  "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}"
                 },
                 "incidentConfiguration": {
                   "createIncident": true
@@ -3538,7 +3538,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.0",
+        "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -3666,7 +3666,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsight Data Parser with template version 3.0.0",
+        "description": "InfobloxInsight Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -3794,7 +3794,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightAssets Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightAssets Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -3922,7 +3922,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightComments Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightComments Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -4050,7 +4050,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightEvents Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightEvents Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -4178,7 +4178,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "InfobloxInsightIndicators Data Parser with template version 3.0.0",
+        "description": "InfobloxInsightIndicators Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject6').parserVersion6]",
@@ -4306,7 +4306,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.0",
+        "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -5010,7 +5010,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.0",
+        "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -6055,7 +6055,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.0",
+        "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -6413,7 +6413,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Config-Insights Playbook with template version 3.0.0",
+        "description": "Infoblox-Config-Insights Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -6873,7 +6873,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.0",
+        "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion5')]",
@@ -7584,7 +7584,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion6')]",
@@ -8417,7 +8417,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion7')]",
@@ -9313,7 +9313,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion8')]",
@@ -9852,7 +9852,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion9')]",
@@ -11888,7 +11888,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion10')]",
@@ -12832,7 +12832,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion11')]",
@@ -13130,7 +13130,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.0",
+        "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion12')]",
@@ -13755,7 +13755,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion13')]",
@@ -14524,7 +14524,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion14')]",
@@ -15264,7 +15264,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.0",
+        "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion15')]",
@@ -16837,7 +16837,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.0",
+        "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion16')]",
@@ -17891,7 +17891,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.0",
+        "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion17')]",
@@ -18431,7 +18431,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Infoblox",
diff --git a/Solutions/Infoblox/ReleaseNotes.md b/Solutions/Infoblox/ReleaseNotes.md
index 603961b9640..2ef63330b52 100644
--- a/Solutions/Infoblox/ReleaseNotes.md
+++ b/Solutions/Infoblox/ReleaseNotes.md
@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.0.1       |   07-11-2024                   | Byug fix in Infoblox_Workbook **Workbook**                    |
 | 3.0.0       |   15-07-2024                   | Initial Solution Release                    |
\ No newline at end of file
diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
index 477109ffdd8..0bb70edba80 100644
--- a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
+++ b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json
@@ -5540,7 +5540,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
+                    "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' ==  \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' ==  \"All\"\r\n| join\r\n    (\r\n        AssetCount\r\n    ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n    ThreatLevel == \"High\", 5,\r\n    ThreatLevel == \"Medium\", 4,\r\n    ThreatLevel == \"Low\", 3,\r\n    ThreatLevel == \"N/A\", 2,\r\n    1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n",
                     "size": 0,
                     "showAnalytics": true,
                     "timeContextFromParameter": "TimeRange",
diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json
index d28de412666..29a65ac80e0 100644
--- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json	
+++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json	
@@ -205,7 +205,11 @@
 		"Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml",
 		"Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml",
 		"Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml",
-		"Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml"
+		"Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml",
+		"Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml",
+		"Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml",
+		"Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml",
+		"Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml"
   ],
   "Workbooks" : [
 		"Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json",
@@ -213,7 +217,7 @@
 		"Workbooks/MicrosoftDefenderForIdentity.json"
 	],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR",
-  "Version": "3.0.9",
+  "Version": "3.0.10",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml
new file mode 100644
index 00000000000..805f1d2998c
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml	
@@ -0,0 +1,26 @@
+id: 0955f477-6471-468a-9b13-fc5fa96d7db2
+name: Automated email notifications and suspicious sign-in activity
+description: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity
+description-detailed: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity. 
+  By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+  - AADSignInEventsBeta
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+ let usersWithSuspiciousEmails = EmailEvents
+ | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
+ | where isnotempty(RecipientObjectId)
+ | distinct RecipientObjectId;
+ AADSignInEventsBeta
+ | where AccountObjectId in (usersWithSuspiciousEmails)
+ | where RiskLevelDuringSignIn == 100
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml
new file mode 100644
index 00000000000..86c8206caf2
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml	
@@ -0,0 +1,30 @@
+id: 85dea577-1c76-44ff-8cad-b47182874ddb
+name: BEC - File sharing tactics - Dropbox
+description: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox. 
+  It highlights that highlights that a file hosted on Dropbox has been shared with multiple participants.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  CloudAppEvents
+  | where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
+  | where Application == "Dropbox"
+  | where ObjectType == "File"
+  | extend FileShared = tostring(ObjectName)
+  | where isnotempty(FileShared)
+  | mv-expand ActivityObjects
+  | where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
+  | extend SharedBy = AccountId
+  | extend UserSharedWith = tostring(ActivityObjects.Name)
+  | summarize dcount(UserSharedWith) by FileShared, AccountObjectId
+  | where dcount_UserSharedWith >= 20
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml
new file mode 100644
index 00000000000..524db92b733
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml	
@@ -0,0 +1,38 @@
+id: da745698-da8a-40c5-b527-2e9328c2cefe
+name: BEC - File sharing tactics - OneDrive or SharePoint
+description: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint. 
+  It highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  let securelinkCreated = CloudAppEvents
+  | where ActionType == "SecureLinkCreated"
+  | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
+  let filesCreated = securelinkCreated
+  | where isnotempty(ObjectName)
+  | distinct tostring(ObjectName);
+  CloudAppEvents
+  | where ActionType == "AddedToSecureLink"
+  | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
+  | extend FileShared = tostring(RawEventData.ObjectId)
+  | where FileShared in (filesCreated)
+  | extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
+  | extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
+  | where TypeofUserSharedWith == "Guest"
+  | where isnotempty(FileShared) and isnotempty(UserSharedWith)
+  | join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
+  // Secure file created recently (in the last 1day)
+  | where (Timestamp - FileCreatedTime) between (1d .. 0h)
+  | summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
+  | where NumofUsersSharedWith >= 20
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml
new file mode 100644
index 00000000000..2a7133c253d
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml	
@@ -0,0 +1,30 @@
+id: 11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a
+name: Files share contents and suspicious sign-in activity
+description: |
+  This query helps hunting for Files share contents and suspicious sign-in activity
+description-detailed: |
+  This query helps hunting for Files share contents and suspicious sign-in activity. 
+  By correlating the file share emails with suspicious sign-ins, compromises can be detected. Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+  - AADSignInEventsBeta
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let usersWithSuspiciousEmails = EmailEvents
+  | where Subject has_all ("shared", "with you")
+  | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
+  | where isnotempty(RecipientObjectId)
+  | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
+  | where RecipientCount >= 10
+  | mv-expand RecipientList to typeof(string)
+  | distinct RecipientList;
+  AADSignInEventsBeta
+  | where AccountObjectId in (usersWithSuspiciousEmails)
+  | where RiskLevelDuringSignIn == 100
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.10.zip b/Solutions/Microsoft Defender XDR/Package/3.0.10.zip
new file mode 100644
index 00000000000..46d28c7db45
Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.10.zip differ
diff --git a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json
index d95e38b9d57..e5d9b2556f1 100644
--- a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json	
+++ b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 156\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 160\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -2938,6 +2938,62 @@
                 }
               }
             ]
+          },
+          {
+            "name": "huntingquery157",
+            "type": "Microsoft.Common.Section",
+            "label": "Automated email notifications and suspicious sign-in activity",
+            "elements": [
+              {
+                "name": "huntingquery157-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query helps hunting for Automated email notifications and suspicious sign-in activity This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents AADSignInEventsBeta Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery158",
+            "type": "Microsoft.Common.Section",
+            "label": "Files share contents and suspicious sign-in activity",
+            "elements": [
+              {
+                "name": "huntingquery158-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query helps hunting for Files share contents and suspicious sign-in activity This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents AADSignInEventsBeta Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery159",
+            "type": "Microsoft.Common.Section",
+            "label": "BEC - File sharing tactics - OneDrive or SharePoint",
+            "elements": [
+              {
+                "name": "huntingquery159-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery160",
+            "type": "Microsoft.Common.Section",
+            "label": "BEC - File sharing tactics - Dropbox",
+            "elements": [
+              {
+                "name": "huntingquery160-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query helps hunting for BEC - File sharing tactics - Dropbox This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)"
+                }
+              }
+            ]
           }
         ]
       }
diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
index 4ac5705ea00..79071cb1470 100644
--- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json	
+++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json	
@@ -57,7 +57,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Microsoft Defender XDR",
-    "_solutionVersion": "3.0.9",
+    "_solutionVersion": "3.0.10",
     "solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "MicrosoftThreatProtection",
@@ -1129,6 +1129,26 @@
       "_huntingQuerycontentId156": "c10b22a0-6021-46f9-bdaf-05bf2350a554",
       "huntingQueryTemplateSpecName156": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c10b22a0-6021-46f9-bdaf-05bf2350a554')))]"
     },
+    "huntingQueryObject157": {
+      "huntingQueryVersion157": "1.0.0",
+      "_huntingQuerycontentId157": "0955f477-6471-468a-9b13-fc5fa96d7db2",
+      "huntingQueryTemplateSpecName157": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0955f477-6471-468a-9b13-fc5fa96d7db2')))]"
+    },
+    "huntingQueryObject158": {
+      "huntingQueryVersion158": "1.0.0",
+      "_huntingQuerycontentId158": "11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a",
+      "huntingQueryTemplateSpecName158": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a')))]"
+    },
+    "huntingQueryObject159": {
+      "huntingQueryVersion159": "1.0.0",
+      "_huntingQuerycontentId159": "da745698-da8a-40c5-b527-2e9328c2cefe",
+      "huntingQueryTemplateSpecName159": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('da745698-da8a-40c5-b527-2e9328c2cefe')))]"
+    },
+    "huntingQueryObject160": {
+      "huntingQueryVersion160": "1.0.0",
+      "_huntingQuerycontentId160": "85dea577-1c76-44ff-8cad-b47182874ddb",
+      "huntingQueryTemplateSpecName160": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('85dea577-1c76-44ff-8cad-b47182874ddb')))]"
+    },
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "MicrosoftDefenderForOffice365detectionsandinsights",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -1160,7 +1180,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Defender XDR data connector with template version 3.0.9",
+        "description": "Microsoft Defender XDR data connector with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1637,7 +1657,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1665,86 +1685,86 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "AlertEvidence",
                       "EmailEvents",
                       "IdentityInfo",
                       "DeviceEvents",
                       "DeviceNetworkEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   },
                   {
-                    "connectorId": "Zscaler",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "Zscaler"
                   },
                   {
-                    "connectorId": "Fortinet",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "Fortinet"
                   },
                   {
-                    "connectorId": "CheckPoint",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CheckPoint"
                   },
                   {
-                    "connectorId": "PaloAltoNetworks",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "PaloAltoNetworks"
                   },
                   {
-                    "connectorId": "AWSS3",
                     "datatypes": [
                       "AWSVPCFlow"
-                    ]
+                    ],
+                    "connectorId": "AWSS3"
                   },
                   {
-                    "connectorId": "WindowsForwardedEvents",
                     "dataTypes": [
                       "WindowsEvent"
-                    ]
+                    ],
+                    "connectorId": "WindowsForwardedEvents"
                   },
                   {
-                    "connectorId": "SecurityEvents",
                     "dataTypes": [
                       "SecurityEvent"
-                    ]
+                    ],
+                    "connectorId": "SecurityEvents"
                   },
                   {
-                    "connectorId": "WindowsSecurityEvents",
                     "dataTypes": [
                       "SecurityEvent"
-                    ]
+                    ],
+                    "connectorId": "WindowsSecurityEvents"
                   },
                   {
-                    "connectorId": "MicrosoftSysmonForLinux",
                     "dataTypes": [
                       "Syslog"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftSysmonForLinux"
                   },
                   {
-                    "connectorId": "AzureNSG",
                     "dataTypes": [
                       "AzureDiagnostics"
-                    ]
+                    ],
+                    "connectorId": "AzureNSG"
                   },
                   {
-                    "connectorId": "AzureMonitor(VMInsights)",
                     "dataTypes": [
                       "VMConnection"
-                    ]
+                    ],
+                    "connectorId": "AzureMonitor(VMInsights)"
                   },
                   {
-                    "connectorId": "AIVectraStream",
                     "dataTypes": [
                       "VectraStream_CL"
-                    ]
+                    ],
+                    "connectorId": "AIVectraStream"
                   }
                 ],
                 "tactics": [
@@ -1757,6 +1777,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -1770,10 +1791,10 @@
                         "identifier": "UPNSuffix",
                         "columnName": "InitiatingProcessAccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -1787,10 +1808,10 @@
                         "identifier": "UPNSuffix",
                         "columnName": "RecipientEmailUPNSuffix"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -1804,26 +1825,25 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "SourceIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "DestinationIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ]
               }
@@ -1879,7 +1899,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1907,11 +1927,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceImageLoadEvents",
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -1922,6 +1942,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -1935,10 +1956,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -1952,8 +1973,7 @@
                         "identifier": "UPNSuffix",
                         "columnName": "InitiatingProcessAccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ]
               }
@@ -2009,7 +2029,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2037,11 +2057,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents",
                       "DeviceFileEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2052,6 +2072,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "HostName",
@@ -2061,10 +2082,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2078,8 +2099,7 @@
                         "identifier": "UPNSuffix",
                         "columnName": "FileEditDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ]
               }
@@ -2135,7 +2155,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2163,10 +2183,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2181,6 +2201,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2194,10 +2215,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2211,10 +2232,10 @@
                         "identifier": "UPNSuffix",
                         "columnName": "InitiatingProcessAccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
                         "identifier": "Algorithm",
@@ -2224,8 +2245,7 @@
                         "identifier": "Value",
                         "columnName": "InitiatingProcessSHA1"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
@@ -2281,7 +2301,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2309,10 +2329,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceNetworkEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2327,6 +2347,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2340,10 +2361,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2357,28 +2378,28 @@
                         "identifier": "UPNSuffix",
                         "columnName": "InitiatingProcessAccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "RemoteIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
                         "identifier": "Url",
                         "columnName": "RemoteUrl"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
                         "identifier": "Algorithm",
@@ -2388,8 +2409,7 @@
                         "identifier": "Value",
                         "columnName": "InitiatingProcessMD5"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
@@ -2445,7 +2465,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2473,10 +2493,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceFileEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2491,6 +2511,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2504,10 +2525,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2521,10 +2542,10 @@
                         "identifier": "UPNSuffix",
                         "columnName": "InitiatingProcessAccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
                         "identifier": "Algorithm",
@@ -2534,8 +2555,7 @@
                         "identifier": "Value",
                         "columnName": "MD5"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
@@ -2591,7 +2611,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2619,10 +2639,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "SecurityAlert"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2633,6 +2653,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2646,8 +2667,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -2703,7 +2723,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2731,10 +2751,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "SecurityAlert"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2745,6 +2765,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2758,17 +2779,16 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "PublicIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ]
               }
@@ -2824,7 +2844,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2852,10 +2872,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "SecurityAlert"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2866,6 +2886,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -2879,17 +2900,16 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "PublicIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ]
               }
@@ -2945,7 +2965,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2973,13 +2993,13 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents",
                       "DeviceNetworkEvents",
                       "DeviceEvents",
                       "DeviceTvmSoftwareVulnerabilities"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -2990,6 +3010,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3003,10 +3024,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "HostNameDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3020,62 +3041,61 @@
                         "identifier": "UPNSuffix",
                         "columnName": "UPNSuffix"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "LocalIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
                         "columnName": "ProcessId"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
                         "columnName": "InitiatingProcessId"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ],
                 "eventGroupingSettings": {
                   "aggregationKind": "SingleAlert"
                 },
                 "alertDetailsOverride": {
-                  "alertDynamicProperties": [],
-                  "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863"
+                  "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863",
+                  "alertDynamicProperties": []
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
+                    "reopenClosedIncident": false,
+                    "enabled": false,
+                    "matchingMethod": "Selected",
                     "groupByEntities": [
                       "Account"
                     ],
-                    "lookbackDuration": "PT5H",
-                    "enabled": false,
-                    "matchingMethod": "Selected",
-                    "reopenClosedIncident": false
+                    "lookbackDuration": "PT5H"
                   },
                   "createIncident": false
                 }
@@ -3132,7 +3152,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -3160,10 +3180,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3178,6 +3198,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3191,8 +3212,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3248,7 +3268,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
@@ -3285,6 +3305,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3298,8 +3319,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3355,7 +3375,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
@@ -3383,10 +3403,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3397,6 +3417,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3410,8 +3431,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3467,7 +3487,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
@@ -3495,10 +3515,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3509,6 +3529,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3522,8 +3543,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3579,7 +3599,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
@@ -3607,10 +3627,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3621,6 +3641,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3634,8 +3655,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3691,7 +3711,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
@@ -3719,10 +3739,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3733,6 +3753,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3746,8 +3767,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3803,7 +3823,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
@@ -3831,10 +3851,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3847,6 +3867,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3860,8 +3881,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -3917,7 +3937,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
@@ -3945,10 +3965,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -3959,6 +3979,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -3972,8 +3993,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -4029,7 +4049,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
@@ -4057,11 +4077,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents",
                       "DeviceNetworkEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4077,6 +4097,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4090,35 +4111,34 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "LocalIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "RemoteIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
                         "identifier": "Url",
                         "columnName": "RemoteUrl"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   }
                 ]
               }
@@ -4174,7 +4194,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
@@ -4202,11 +4222,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents",
                       "DeviceNetworkEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4222,6 +4242,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4235,35 +4256,34 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "LocalIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "RemoteIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
                         "identifier": "Url",
                         "columnName": "RemoteUrl"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   }
                 ]
               }
@@ -4319,7 +4339,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
@@ -4347,10 +4367,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4366,6 +4386,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4379,8 +4400,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -4436,7 +4456,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
@@ -4464,10 +4484,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4482,6 +4502,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4495,10 +4516,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -4508,8 +4529,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -4565,7 +4585,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
@@ -4593,10 +4613,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4611,6 +4631,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4624,10 +4645,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -4637,8 +4658,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -4694,7 +4714,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
@@ -4722,10 +4742,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "IdentityLogonEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4739,6 +4759,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4752,10 +4773,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4769,8 +4790,7 @@
                         "identifier": "Name",
                         "columnName": "AccountName"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ]
               }
@@ -4826,7 +4846,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
@@ -4854,11 +4874,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceEvents",
                       "DeviceFileEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -4869,6 +4889,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -4882,10 +4903,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "File",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -4895,10 +4916,10 @@
                         "identifier": "Directory",
                         "columnName": "FolderPath"
                       }
-                    ],
-                    "entityType": "File"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
                         "identifier": "Algorithm",
@@ -4908,8 +4929,7 @@
                         "identifier": "Value",
                         "columnName": "SHA256"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
@@ -4965,7 +4985,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
@@ -4993,10 +5013,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceRegistryEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5007,6 +5027,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5020,10 +5041,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "RegistryValue",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -5033,8 +5054,7 @@
                         "identifier": "Value",
                         "columnName": "RegistryValueData"
                       }
-                    ],
-                    "entityType": "RegistryValue"
+                    ]
                   }
                 ]
               }
@@ -5090,7 +5110,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
@@ -5118,11 +5138,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "CloudAppEvents",
                       "AADSignInEventsBeta"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5133,15 +5153,16 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "AadUserId",
                         "columnName": "UserId"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
@@ -5151,17 +5172,16 @@
                         "identifier": "NTDomain",
                         "columnName": "NTDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
                         "identifier": "AppId",
                         "columnName": "ApplicationId"
                       }
-                    ],
-                    "entityType": "CloudApplication"
+                    ]
                   }
                 ],
                 "customDetails": {
@@ -5220,7 +5240,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
@@ -5248,10 +5268,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceFileEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5262,6 +5282,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5275,8 +5296,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -5332,7 +5352,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
@@ -5360,11 +5380,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceLogonEvents",
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5375,6 +5395,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5388,10 +5409,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5405,8 +5426,7 @@
                         "identifier": "Name",
                         "columnName": "AccountName"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ]
               }
@@ -5462,7 +5482,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
@@ -5490,10 +5510,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5504,6 +5524,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5517,10 +5538,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -5530,8 +5551,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -5587,7 +5607,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
@@ -5615,11 +5635,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "IdentityInfo",
                       "DeviceEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5630,6 +5650,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5643,10 +5664,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5660,8 +5681,7 @@
                         "identifier": "NTDomain",
                         "columnName": "laccountdomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   }
                 ]
               }
@@ -5717,7 +5737,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
@@ -5745,13 +5765,13 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents",
                       "DeviceNetworkEvents",
                       "DeviceFileEvents",
                       "DeviceImageLoadEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5766,6 +5786,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5779,10 +5800,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -5792,8 +5813,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ServiceProcessCmdline"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -5849,7 +5869,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
@@ -5877,10 +5897,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -5891,6 +5911,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5904,10 +5925,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -5921,10 +5942,10 @@
                         "identifier": "NTDomain",
                         "columnName": "AccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -5934,8 +5955,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -5991,7 +6011,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
@@ -6019,10 +6039,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6033,6 +6053,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6046,8 +6067,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -6103,7 +6123,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
@@ -6131,10 +6151,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6145,6 +6165,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6158,10 +6179,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -6171,8 +6192,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -6228,7 +6248,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
@@ -6256,10 +6276,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6270,6 +6290,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6283,8 +6304,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -6340,7 +6360,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
@@ -6368,10 +6388,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6382,6 +6402,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6395,8 +6416,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -6452,7 +6472,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
@@ -6480,12 +6500,12 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "AlertInfo",
                       "AlertEvidence",
                       "DeviceLogonEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6502,6 +6522,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6515,10 +6536,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6532,17 +6553,16 @@
                         "identifier": "DnsDomain",
                         "columnName": "AccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "RemoteIP"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ]
               }
@@ -6598,7 +6618,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
@@ -6626,10 +6646,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6644,6 +6664,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6657,8 +6678,7 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   }
                 ]
               }
@@ -6714,7 +6734,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
@@ -6742,10 +6762,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "MicrosoftThreatProtection",
                     "dataTypes": [
                       "DeviceProcessEvents"
-                    ]
+                    ],
+                    "connectorId": "MicrosoftThreatProtection"
                   }
                 ],
                 "tactics": [
@@ -6756,6 +6776,7 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6769,10 +6790,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "DnsDomain"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
@@ -6786,10 +6807,10 @@
                         "identifier": "DnsDomain",
                         "columnName": "AccountDomain"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Process",
                     "fieldMappings": [
                       {
                         "identifier": "ProcessId",
@@ -6799,8 +6820,7 @@
                         "identifier": "CommandLine",
                         "columnName": "ProcessCommandLine"
                       }
-                    ],
-                    "entityType": "Process"
+                    ]
                   }
                 ]
               }
@@ -6856,7 +6876,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -6941,7 +6961,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -7026,7 +7046,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -7111,7 +7131,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -7192,7 +7212,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -7273,7 +7293,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -7354,7 +7374,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -7435,7 +7455,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -7516,7 +7536,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -7597,7 +7617,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -7682,7 +7702,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -7763,7 +7783,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@@ -7844,7 +7864,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@@ -7925,7 +7945,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]",
@@ -8006,7 +8026,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]",
@@ -8087,7 +8107,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]",
@@ -8168,7 +8188,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]",
@@ -8249,7 +8269,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]",
@@ -8330,7 +8350,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]",
@@ -8415,7 +8435,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]",
@@ -8496,7 +8516,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]",
@@ -8577,7 +8597,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]",
@@ -8658,7 +8678,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]",
@@ -8739,7 +8759,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]",
@@ -8820,7 +8840,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]",
@@ -8901,7 +8921,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]",
@@ -8982,7 +9002,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]",
@@ -9063,7 +9083,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]",
@@ -9144,7 +9164,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]",
@@ -9225,7 +9245,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]",
@@ -9310,7 +9330,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]",
@@ -9391,7 +9411,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]",
@@ -9472,7 +9492,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]",
@@ -9553,7 +9573,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]",
@@ -9634,7 +9654,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]",
@@ -9711,7 +9731,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]",
@@ -9792,7 +9812,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject37').huntingQueryVersion37]",
@@ -9873,7 +9893,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject38').huntingQueryVersion38]",
@@ -9954,7 +9974,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject39').huntingQueryVersion39]",
@@ -10035,7 +10055,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject40').huntingQueryVersion40]",
@@ -10116,7 +10136,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject41').huntingQueryVersion41]",
@@ -10197,7 +10217,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject42').huntingQueryVersion42]",
@@ -10278,7 +10298,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject43').huntingQueryVersion43]",
@@ -10359,7 +10379,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject44').huntingQueryVersion44]",
@@ -10440,7 +10460,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject45').huntingQueryVersion45]",
@@ -10525,7 +10545,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject46').huntingQueryVersion46]",
@@ -10606,7 +10626,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject47').huntingQueryVersion47]",
@@ -10687,7 +10707,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject48').huntingQueryVersion48]",
@@ -10768,7 +10788,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject49').huntingQueryVersion49]",
@@ -10849,7 +10869,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject50').huntingQueryVersion50]",
@@ -10930,7 +10950,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject51').huntingQueryVersion51]",
@@ -11011,7 +11031,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject52').huntingQueryVersion52]",
@@ -11092,7 +11112,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject53').huntingQueryVersion53]",
@@ -11173,7 +11193,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject54').huntingQueryVersion54]",
@@ -11258,7 +11278,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject55').huntingQueryVersion55]",
@@ -11343,7 +11363,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject56').huntingQueryVersion56]",
@@ -11420,7 +11440,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject57').huntingQueryVersion57]",
@@ -11505,7 +11525,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject58').huntingQueryVersion58]",
@@ -11586,7 +11606,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject59').huntingQueryVersion59]",
@@ -11671,7 +11691,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject60').huntingQueryVersion60]",
@@ -11752,7 +11772,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject61').huntingQueryVersion61]",
@@ -11829,7 +11849,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject62').huntingQueryVersion62]",
@@ -11910,7 +11930,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject63').huntingQueryVersion63]",
@@ -11987,7 +12007,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject64').huntingQueryVersion64]",
@@ -12072,7 +12092,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject65').huntingQueryVersion65]",
@@ -12153,7 +12173,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject66').huntingQueryVersion66]",
@@ -12234,7 +12254,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject67').huntingQueryVersion67]",
@@ -12315,7 +12335,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject68').huntingQueryVersion68]",
@@ -12396,7 +12416,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject69').huntingQueryVersion69]",
@@ -12477,7 +12497,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject70').huntingQueryVersion70]",
@@ -12558,7 +12578,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject71').huntingQueryVersion71]",
@@ -12643,7 +12663,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject72').huntingQueryVersion72]",
@@ -12728,7 +12748,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject73').huntingQueryVersion73]",
@@ -12813,7 +12833,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject74').huntingQueryVersion74]",
@@ -12898,7 +12918,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject75').huntingQueryVersion75]",
@@ -12983,7 +13003,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject76').huntingQueryVersion76]",
@@ -13068,7 +13088,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject77').huntingQueryVersion77]",
@@ -13153,7 +13173,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject78').huntingQueryVersion78]",
@@ -13238,7 +13258,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject79').huntingQueryVersion79]",
@@ -13323,7 +13343,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject80').huntingQueryVersion80]",
@@ -13408,7 +13428,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject81').huntingQueryVersion81]",
@@ -13493,7 +13513,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject82').huntingQueryVersion82]",
@@ -13578,7 +13598,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject83').huntingQueryVersion83]",
@@ -13663,7 +13683,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject84').huntingQueryVersion84]",
@@ -13748,7 +13768,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject85').huntingQueryVersion85]",
@@ -13833,7 +13853,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject86').huntingQueryVersion86]",
@@ -13918,7 +13938,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject87').huntingQueryVersion87]",
@@ -14003,7 +14023,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject88').huntingQueryVersion88]",
@@ -14088,7 +14108,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject89').huntingQueryVersion89]",
@@ -14173,7 +14193,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject90').huntingQueryVersion90]",
@@ -14258,7 +14278,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject91').huntingQueryVersion91]",
@@ -14343,7 +14363,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject92').huntingQueryVersion92]",
@@ -14428,7 +14448,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject93').huntingQueryVersion93]",
@@ -14513,7 +14533,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject94').huntingQueryVersion94]",
@@ -14598,7 +14618,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject95').huntingQueryVersion95]",
@@ -14683,7 +14703,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject96').huntingQueryVersion96]",
@@ -14768,7 +14788,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject97').huntingQueryVersion97]",
@@ -14853,7 +14873,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject98').huntingQueryVersion98]",
@@ -14938,7 +14958,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject99').huntingQueryVersion99]",
@@ -15023,7 +15043,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject100').huntingQueryVersion100]",
@@ -15108,7 +15128,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject101').huntingQueryVersion101]",
@@ -15193,7 +15213,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject102').huntingQueryVersion102]",
@@ -15278,7 +15298,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject103').huntingQueryVersion103]",
@@ -15363,7 +15383,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject104').huntingQueryVersion104]",
@@ -15448,7 +15468,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject105').huntingQueryVersion105]",
@@ -15533,7 +15553,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject106').huntingQueryVersion106]",
@@ -15618,7 +15638,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject107').huntingQueryVersion107]",
@@ -15703,7 +15723,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject108').huntingQueryVersion108]",
@@ -15788,7 +15808,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject109').huntingQueryVersion109]",
@@ -15873,7 +15893,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject110').huntingQueryVersion110]",
@@ -15958,7 +15978,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject111').huntingQueryVersion111]",
@@ -16043,7 +16063,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject112').huntingQueryVersion112]",
@@ -16128,7 +16148,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject113').huntingQueryVersion113]",
@@ -16213,7 +16233,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject114').huntingQueryVersion114]",
@@ -16298,7 +16318,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject115').huntingQueryVersion115]",
@@ -16383,7 +16403,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject116').huntingQueryVersion116]",
@@ -16468,7 +16488,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject117').huntingQueryVersion117]",
@@ -16553,7 +16573,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject118').huntingQueryVersion118]",
@@ -16638,7 +16658,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject119').huntingQueryVersion119]",
@@ -16723,7 +16743,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject120').huntingQueryVersion120]",
@@ -16808,7 +16828,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject121').huntingQueryVersion121]",
@@ -16893,7 +16913,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject122').huntingQueryVersion122]",
@@ -16978,7 +16998,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject123').huntingQueryVersion123]",
@@ -17063,7 +17083,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject124').huntingQueryVersion124]",
@@ -17148,7 +17168,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject125').huntingQueryVersion125]",
@@ -17233,7 +17253,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject126').huntingQueryVersion126]",
@@ -17318,7 +17338,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject127').huntingQueryVersion127]",
@@ -17403,7 +17423,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject128').huntingQueryVersion128]",
@@ -17488,7 +17508,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject129').huntingQueryVersion129]",
@@ -17573,7 +17593,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject130').huntingQueryVersion130]",
@@ -17658,7 +17678,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject131').huntingQueryVersion131]",
@@ -17743,7 +17763,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject132').huntingQueryVersion132]",
@@ -17828,7 +17848,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject133').huntingQueryVersion133]",
@@ -17913,7 +17933,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject134').huntingQueryVersion134]",
@@ -17998,7 +18018,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject135').huntingQueryVersion135]",
@@ -18083,7 +18103,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject136').huntingQueryVersion136]",
@@ -18168,7 +18188,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject137').huntingQueryVersion137]",
@@ -18253,7 +18273,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject138').huntingQueryVersion138]",
@@ -18338,7 +18358,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject139').huntingQueryVersion139]",
@@ -18423,7 +18443,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject140').huntingQueryVersion140]",
@@ -18508,7 +18528,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject141').huntingQueryVersion141]",
@@ -18593,7 +18613,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject142').huntingQueryVersion142]",
@@ -18678,7 +18698,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject143').huntingQueryVersion143]",
@@ -18763,7 +18783,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject144').huntingQueryVersion144]",
@@ -18848,7 +18868,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject145').huntingQueryVersion145]",
@@ -18933,7 +18953,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject146').huntingQueryVersion146]",
@@ -19018,7 +19038,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject147').huntingQueryVersion147]",
@@ -19103,7 +19123,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject148').huntingQueryVersion148]",
@@ -19188,7 +19208,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject149').huntingQueryVersion149]",
@@ -19273,7 +19293,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject150').huntingQueryVersion150]",
@@ -19358,7 +19378,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject151').huntingQueryVersion151]",
@@ -19443,7 +19463,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject152').huntingQueryVersion152]",
@@ -19528,7 +19548,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject153').huntingQueryVersion153]",
@@ -19613,7 +19633,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject154').huntingQueryVersion154]",
@@ -19698,7 +19718,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject155').huntingQueryVersion155]",
@@ -19783,7 +19803,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject156').huntingQueryVersion156]",
@@ -19859,6 +19879,346 @@
         "version": "1.0.0"
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject157').huntingQueryTemplateSpecName157]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.10",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryObject157').huntingQueryVersion157]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Microsoft_Defender_XDR_Hunting_Query_157",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Automated email notifications and suspicious sign-in activity",
+                "category": "Hunting Queries",
+                "query": "let usersWithSuspiciousEmails = EmailEvents\n| where SenderFromAddress in (\"no-reply@notify.microsoft.com\", \"no-reply@dropbox.com\") or InternetMessageId startswith \"<OneTimePasscode\"\n| where isnotempty(RecipientObjectId)\n| distinct RecipientObjectId;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "This query helps hunting for Automated email notifications and suspicious sign-in activity"
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1566"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject157')._huntingQuerycontentId157),'/'))))]",
+              "properties": {
+                "description": "Microsoft Defender XDR Hunting Query 157",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject157')._huntingQuerycontentId157)]",
+                "contentId": "[variables('huntingQueryObject157')._huntingQuerycontentId157]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryObject157').huntingQueryVersion157]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Defender XDR",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject157')._huntingQuerycontentId157]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Automated email notifications and suspicious sign-in activity",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject157')._huntingQuerycontentId157,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject157')._huntingQuerycontentId157,'-', '1.0.0')))]",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject158').huntingQueryTemplateSpecName158]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Files share contents and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.10",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryObject158').huntingQueryVersion158]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Microsoft_Defender_XDR_Hunting_Query_158",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Files share contents and suspicious sign-in activity",
+                "category": "Hunting Queries",
+                "query": "let usersWithSuspiciousEmails = EmailEvents\n| where Subject has_all (\"shared\", \"with you\")\n| where Subject has_any (\"payment\", \"invoice\", \"urgent\", \"mandatory\", \"Payoff\", \"Wire\", \"Confirmation\", \"password\")\n| where isnotempty(RecipientObjectId)\n| summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject\n| where RecipientCount >= 10\n| mv-expand RecipientList to typeof(string)\n| distinct RecipientList;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "This query helps hunting for Files share contents and suspicious sign-in activity"
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1566"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject158')._huntingQuerycontentId158),'/'))))]",
+              "properties": {
+                "description": "Microsoft Defender XDR Hunting Query 158",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject158')._huntingQuerycontentId158)]",
+                "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryObject158').huntingQueryVersion158]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Defender XDR",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Files share contents and suspicious sign-in activity",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject158')._huntingQuerycontentId158,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject158')._huntingQuerycontentId158,'-', '1.0.0')))]",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject159').huntingQueryTemplateSpecName159]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.10",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryObject159').huntingQueryVersion159]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Microsoft_Defender_XDR_Hunting_Query_159",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "BEC - File sharing tactics - OneDrive or SharePoint",
+                "category": "Hunting Queries",
+                "query": "let securelinkCreated = CloudAppEvents\n| where ActionType == \"SecureLinkCreated\"\n| project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;\nlet filesCreated = securelinkCreated\n| where isnotempty(ObjectName)\n| distinct tostring(ObjectName);\nCloudAppEvents\n| where ActionType == \"AddedToSecureLink\"\n| where Application in (\"Microsoft SharePoint Online\", \"Microsoft OneDrive for Business\")\n| extend FileShared = tostring(RawEventData.ObjectId)\n| where FileShared in (filesCreated)\n| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)\n| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType\n| where TypeofUserSharedWith == \"Guest\"\n| where isnotempty(FileShared) and isnotempty(UserSharedWith)\n| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName\n// Secure file created recently (in the last 1day)\n| where (Timestamp - FileCreatedTime) between (1d .. 0h)\n| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared\n| where NumofUsersSharedWith >= 20\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint"
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "LateralMovement"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1021"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject159')._huntingQuerycontentId159),'/'))))]",
+              "properties": {
+                "description": "Microsoft Defender XDR Hunting Query 159",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject159')._huntingQuerycontentId159)]",
+                "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryObject159').huntingQueryVersion159]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Defender XDR",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]",
+        "contentKind": "HuntingQuery",
+        "displayName": "BEC - File sharing tactics - OneDrive or SharePoint",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject159')._huntingQuerycontentId159,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject159')._huntingQuerycontentId159,'-', '1.0.0')))]",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryObject160').huntingQueryTemplateSpecName160]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.10",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryObject160').huntingQueryVersion160]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Microsoft_Defender_XDR_Hunting_Query_160",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "BEC - File sharing tactics - Dropbox",
+                "category": "Hunting Queries",
+                "query": "CloudAppEvents\n| where ActionType in (\"Added users and/or groups to shared file/folder\", \"Invited user to Dropbox and added them to shared file/folder\")\n| where Application == \"Dropbox\"\n| where ObjectType == \"File\"\n| extend FileShared = tostring(ObjectName)\n| where isnotempty(FileShared)\n| mv-expand ActivityObjects\n| where ActivityObjects.Type == \"Account\" and ActivityObjects.Role == \"To\"\n| extend SharedBy = AccountId\n| extend UserSharedWith = tostring(ActivityObjects.Name)\n| summarize dcount(UserSharedWith) by FileShared, AccountObjectId\n| where dcount_UserSharedWith >= 20\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "This query helps hunting for BEC - File sharing tactics - Dropbox"
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "LateralMovement"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1021"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject160')._huntingQuerycontentId160),'/'))))]",
+              "properties": {
+                "description": "Microsoft Defender XDR Hunting Query 160",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject160')._huntingQuerycontentId160)]",
+                "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryObject160').huntingQueryVersion160]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Defender XDR",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]",
+        "contentKind": "HuntingQuery",
+        "displayName": "BEC - File sharing tactics - Dropbox",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject160')._huntingQuerycontentId160,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject160')._huntingQuerycontentId160,'-', '1.0.0')))]",
+        "version": "1.0.0"
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -19868,7 +20228,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.9",
+        "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -19972,7 +20332,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.9",
+        "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -20047,7 +20407,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.9",
+        "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -20139,12 +20499,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.9",
+        "version": "3.0.10",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Microsoft Defender XDR",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender\">Microsoft Defender XDR</a> solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.</p>\n<p>Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender\">GitHub</a>. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 40, <strong>Hunting Queries:</strong> 156</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender\">Microsoft Defender XDR</a> solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.</p>\n<p>Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender\">GitHub</a>. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 3, <strong>Analytic Rules:</strong> 40, <strong>Hunting Queries:</strong> 160</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -21154,6 +21514,26 @@
               "contentId": "[variables('huntingQueryObject156')._huntingQuerycontentId156]",
               "version": "[variables('huntingQueryObject156').huntingQueryVersion156]"
             },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('huntingQueryObject157')._huntingQuerycontentId157]",
+              "version": "[variables('huntingQueryObject157').huntingQueryVersion157]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]",
+              "version": "[variables('huntingQueryObject158').huntingQueryVersion158]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]",
+              "version": "[variables('huntingQueryObject159').huntingQueryVersion159]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]",
+              "version": "[variables('huntingQueryObject160').huntingQueryVersion160]"
+            },
             {
               "kind": "Workbook",
               "contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json
index b2403b8410e..51b86166103 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json	
@@ -1,8 +1,8 @@
 {
     "id": "ESI-ExchangeAdminAuditLogEvents",
-    "title": "Microsoft Exchange Logs and Events",
+    "title": "[Deprecated] Microsoft Exchange Logs and Events",
     "publisher": "Microsoft",
-    "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+    "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
     "graphQueries": [
         {
             "metricName": "Total data received",
@@ -100,35 +100,14 @@
         "customs": [
             {
                 "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-            }
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            } 
         ]
     },
     "instructionSteps": [
-        {
-            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
-            "instructions": [
-                {
-                    "parameters": {
-                        "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
-                        "instructionSteps": [
-                            {
-                                "title": "1. Download the Parser file",
-                                "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
-                            },
-                            {
-                                "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
-                                "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                            },
-                            {
-                                "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
-                                "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
-                            }
-                        ]
-                    },
-                    "type": "InstructionStepsGroup"
-                }
-            ]
-        },
         {
             "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
         },
@@ -209,7 +188,7 @@
                                                                                     "instructionSteps": [
                                                                                         {
                                                                                             "title": "A. Create DCR, Type Event log",
-                                                                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
                                                                                         }
                                                                                     ]
                                                                                 },
@@ -229,7 +208,7 @@
                                                 },
                                                 {
                                                     "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
-                                                    "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
+                                                    "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
                                                     "instructions": [
                                                         {
                                                             "parameters": {
@@ -689,15 +668,53 @@
                     "type": "InstructionStepsGroup"
                 }
             ]
+        },
+        {
+            "title": "",
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                        "instructionSteps": [
+                            {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "1. Download the Parser file",
+                                                    "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                                },
+                                                {
+                                                    "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                                },
+                                                {
+                                                    "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
         }
     ],
     "metadata": {
         "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9",
-        "version": "2.2.1",
+        "version": "2.2.2",
         "kind": "dataConnector",
         "source": {
             "kind": "solution",
-            "name": "ESI - Exchange Security Configuration Analyzer"
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
         },
         "support": {
             "name": "Community",
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json
index 8a5aca66a47..ab20473cb4c 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json	
@@ -19,7 +19,7 @@
     "dataTypes": [
         {
             "name": "ESIExchangeConfig_CL",
-            "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+            "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
         }
     ],
     "connectivityCriterias": [
@@ -61,40 +61,14 @@
             {
                 "name": "Service Account with Organization Management role",
                 "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
-            }
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }            
         ]
     },
     "instructionSteps": [
-        {
-            "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**", 
-            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
-            "instructions": [ 
-                {
-                    "parameters": {
-                        "title": "Parsers deployment",
-                        "instructionSteps": [
-                            {
-                                "title": "1. Download the Parser files",
-                                "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
-                            },
-                            {
-                                "title": "2. Create Parser **ExchangeConfiguration** function",
-                                "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                            },
-                            {
-                                "title": "3. Save Parser **ExchangeConfiguration** function",
-                                "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
-                            },
-                            {
-                                "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
-                                "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
-                            }
-                        ]
-                    },
-                    "type": "InstructionStepsGroup"
-                }
-            ]    
-        }, 
         {
             "title": "1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console",
             "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
@@ -152,11 +126,49 @@
         {
             "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)",
             "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management"
+        },
+        {
+            "title": "",
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                        "instructionSteps": [
+                            {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "1. Download the Parser file",
+                                                    "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                                },
+                                                {
+                                                    "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                                },
+                                                {
+                                                    "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
         }
     ],
     "metadata": {
         "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d",
-        "version": "1.2.1",
+        "version": "1.2.2",
         "kind": "dataConnector",
         "source": {
             "kind": "solution",
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json
new file mode 100644
index 00000000000..fa1ad2c7c2e
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json	
@@ -0,0 +1,199 @@
+{
+    "id": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs",
+    "title": "Microsoft Exchange Admin Audit Logs by Event Logs",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "ExchangeAuditLogs",
+            "baseQuery": "Event | where EventLog == 'MSExchange Management'"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Audit logs",
+            "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "Event",
+            "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "Event | where EventLog == 'MSExchange Management'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki."
+        },
+        {
+            "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules",
+            "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "DCR",
+                        "instructionSteps": [
+                            {
+                                "title": "Data Collection Rules Deployment",
+                                "description": "**Enable data collection rule**\n>  Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)",
+                                                    "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                },
+                                                {
+                                                    "title": "Option 2 - Manual Deployment of Azure Automation",
+                                                    "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCR, Type Event log",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Assign the DCR to all Exchange Servers",
+                                                    "description": "Add all your Exchange Servers to the DCR"
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "",
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                        "instructionSteps": [
+                            {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "1. Download the Parser file",
+                                                    "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                                },
+                                                {
+                                                    "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                                },
+                                                {
+                                                    "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                                    "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json
new file mode 100644
index 00000000000..f980fc45731
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json	
@@ -0,0 +1,183 @@
+{
+    "id": "ESI-Opt2ExchangeServersEventLogs",
+    "title": "Microsoft Exchange Logs and Events",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Exchange Eventlogs",
+            "baseQuery": "Event | where EventLog == 'Application'"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Audit logs",
+            "query": "Event | where EventLog == 'Application' | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "Event",
+            "lastDataReceivedQuery": "Event | where EventLog == 'Application'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "Event | where EventLog == 'Application'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki."
+        },
+        {
+            "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "2. [Option 2] Security/Application/System logs of Exchange Servers",
+            "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "Security Event log collection",
+                        "instructionSteps": [
+                            {
+                                "title": "Data Collection Rules - Security Event logs",
+                                "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "linkType": "OpenCreateDataCollectionRule",
+                                            "dataCollectionRuleType": 0
+                                        },
+                                        "type": "InstallAgent"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                },
+                {
+                    "parameters": {
+                        "title": "Application and System Event log collection",
+                        "instructionSteps": [
+                            {
+                                "title": "Enable data collection rule",
+                                "description": ">  Application and System Events logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)",
+                                                    "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                },
+                                                {
+                                                    "title": "Option 2 - Manual Deployment of Azure Automation",
+                                                    "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCR, Type Event log",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Assign the DCR to all Exchange Servers",
+                                                    "description": "Add all your Exchange Servers to the DCR"
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "22e0234b-278d-40f4-8be8-c2968faeaf91",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json
new file mode 100644
index 00000000000..8084de0ae36
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json	
@@ -0,0 +1,151 @@
+{
+    "id": "ESI-Opt34DomainControllersSecurityEventLogs",
+    "title": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Domain Controllers Security Logs",
+            "baseQuery": "SecurityEvent"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Audit logs",
+            "query": "SecurityEvent | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "SecurityEvent",
+            "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki."
+        },
+        {
+            "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "Security logs of Domain Controllers",
+            "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step",
+                                "description": "**This limits the quantity of data injested but some incident can't be detected.**"
+                            },
+                            {
+                                "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step",
+                                "description": "**This allows collecting all security events**"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                },
+                {
+                    "parameters": {
+                        "title": "Security Event log collection",
+                        "instructionSteps": [
+                            {
+                                "title": "Data Collection Rules - Security Event logs",
+                                "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "linkType": "OpenCreateDataCollectionRule",
+                                            "dataCollectionRuleType": 0
+                                        },
+                                        "type": "InstallAgent"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "036e16af-5a27-465a-8662-b7ac385a8d45",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json
new file mode 100644
index 00000000000..5e0f308c123
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json	
@@ -0,0 +1,184 @@
+{
+    "id": "ESI-Opt5ExchangeIISLogs",
+    "title": "IIS Logs of Microsoft Exchange Servers",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Exchange IIS logs",
+            "baseQuery": "W3CIISLog"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Audit logs",
+            "query": "W3CIISLog | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "W3CIISLog",
+            "lastDataReceivedQuery": "W3CIISLog  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "W3CIISLog  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki."
+        },
+        {
+            "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "[Option 5] IIS logs of Exchange Servers",
+            "description": "Select how to stream IIS logs of Exchange Servers",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Enable data collection rule",
+                                "description": "> IIS logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                    {
+                                        "type": "AdminAuditEvents"
+                                    },
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)",
+                                                    "description": "Use this method for automated deployment of the DCE and DCR.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Deploy Data Connection Rule",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Option 2 - Manual Deployment of Azure Automation",
+                                                    "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Create DCR, Type IIS log",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Assign the DCR to all Exchange Servers",
+                                                    "description": "Add all your Exchange Servers to the DCR"
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json
new file mode 100644
index 00000000000..932d31bfe5e
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json	
@@ -0,0 +1,201 @@
+{
+    "id": "ESI-Opt6ExchangeMessageTrackingLogs",
+    "title": "Microsoft Exchange Message Tracking Logs",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Exchange Message Tracking logs",
+            "baseQuery": "MessageTrackingLog_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "Exchange Message Tracking logs",
+            "query": "MessageTrackingLog_CL | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "MessageTrackingLog_CL",
+            "lastDataReceivedQuery": "MessageTrackingLog_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "MessageTrackingLog_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki."
+        },
+        {
+            "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "2. Message Tracking of Exchange Servers",
+            "description": "Select how to stream Message Tracking of Exchange Servers",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                                "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "Option 1 - Azure Resource Manager (ARM) Template",
+                                                    "description": "Use this method for automated deployment of the DCE and DCR.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Deploy Data Connection Rule and Custom Table",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Option 2 - Manual Deployment of Azure Automation",
+                                                    "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "Create Custom Table - Explanation",
+                                                                        "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                                                    },
+                                                                    {
+                                                                        "title": "Create Custom Table using an ARM Template",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                                                    },
+                                                                    {
+                                                                        "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                                                        "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t   \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t   \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        },
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Create a DCR, Type Custom log",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR"
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Assign the DCR to all Exchange Servers",
+                                                    "description": "Add all your Exchange Servers to the DCR"
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "ababbb06-b977-4259-ab76-87874d353039",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json
new file mode 100644
index 00000000000..c65ebb89cd5
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json	
@@ -0,0 +1,201 @@
+{
+    "id": "ESI-Opt7ExchangeHTTPProxyLogs",
+    "title": "Microsoft Exchange HTTP Proxy Logs",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Exchange HTTPProxy logs",
+            "baseQuery": "ExchangeHttpProxy_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Audit logs",
+            "query": "ExchangeHttpProxy_CL | sort by TimeGenerated"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ExchangeHttpProxy_CL",
+            "lastDataReceivedQuery": "ExchangeHttpProxy_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "ExchangeHttpProxy_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+            },
+            {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+            }     
+        ]
+    },
+    "instructionSteps": [
+        {
+            "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki."
+        },
+        {
+            "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel",
+            "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "2. [Option 7] HTTP Proxy of Exchange Servers",
+            "description": "Select how to stream HTTP Proxy of Exchange Servers",
+            "instructions": [
+                {
+                    "parameters": {
+                        "instructionSteps": [
+                            {
+                                "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                                "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "instructionSteps": [
+                                                {
+                                                    "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)",
+                                                    "description": "Use this method for automated deployment of the DCE and DCR.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Deploy Data Connection Rule",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Option 2 - Manual Deployment of Azure Automation",
+                                                    "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                                    "instructions": [
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "Create Custom Table - Explanation",
+                                                                        "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                                                    },
+                                                                    {
+                                                                        "title": "Create Custom Table using an ARM Template",
+                                                                        "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                                                    },
+                                                                    {
+                                                                        "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                                                        "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        },
+                                                        {
+                                                            "parameters": {
+                                                                "instructionSteps": [
+                                                                    {
+                                                                        "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                                    },
+                                                                    {
+                                                                        "title": "B. Create a DCR, Type Custom log",
+                                                                        "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime  | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR"
+                                                                    }
+                                                                ]
+                                                            },
+                                                            "type": "InstructionStepsGroup"
+                                                        }
+                                                    ]
+                                                },
+                                                {
+                                                    "title": "Assign the DCR to all Exchange Servers",
+                                                    "description": "Add all your Exchange Servers to the DCR"
+                                                }
+                                            ]
+                                        },
+                                        "type": "InstructionStepsGroup"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        }
+    ],
+    "metadata": {
+        "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Microsoft Exchange Security - Exchange On-Premises"
+        },
+        "support": {
+            "name": "Community",
+            "tier": "Community",
+            "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        },
+        "author": {
+            "name": "Microsoft"
+        }
+    }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json
index cbec31cc165..79f6ed56ed1 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json	
@@ -33,7 +33,7 @@
     }
     },
     "variables": {
-        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
+        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
         "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]"
     },
     "resources": [
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json
new file mode 100644
index 00000000000..da00c86f02b
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json	
@@ -0,0 +1,160 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+    "workspacename": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The log analitycs workspace name"
+      }
+    },
+     "customtablename": {
+      "type": "string",
+      "defaultValue": "MessageTrackingLog_CL",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the Custom Table to create. By default uses 'MessageTrackingLog_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts  ."
+      }
+    }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.OperationalInsights/workspaces/tables",
+            "apiVersion": "2021-12-01-preview",
+            "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]",
+            "properties": {
+                "plan": "Analytics",
+                "schema": {
+                    "name": "[parameters('customtablename')]",
+                    "columns": [
+                        {
+                            "name": "directionality",
+                            "type": "string"
+                        },
+                        {
+                            "name": "reference",
+                            "type": "string"
+                        },
+                        {
+                            "name": "source",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TimeGenerated",
+                            "type": "datetime"
+                        },
+                        {
+                            "name": "clientHostname",
+                            "type": "string"
+                        },
+                        {
+                            "name": "clientIP",
+                            "type": "string"
+                        },
+                        {
+                            "name": "connectorId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "customData",
+                            "type": "string"
+                        },
+                        {
+                            "name": "eventId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "internalMessageId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "logId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "messageId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "messageInfo",
+                            "type": "string"
+                        },
+                        {
+                            "name": "messageSubject",
+                            "type": "string"
+                        },
+                        {
+                            "name": "networkMessageId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "originalClientIp",
+                            "type": "string"
+                        },
+                        {
+                            "name": "originalServerIp",
+                            "type": "string"
+                        },
+                        {
+                            "name": "recipientAddress",
+                            "type": "string"
+                        },
+                        {
+                            "name": "recipientCount",
+                            "type": "string"
+                        },
+                        {
+                            "name": "recipientStatus",
+                            "type": "string"
+                        },
+                        {
+                            "name": "relatedRecipientAddress",
+                            "type": "string"
+                        },
+                        {
+                            "name": "returnPath",
+                            "type": "string"
+                        },
+                        {
+                            "name": "senderAddress",
+                            "type": "string"
+                        },
+                        {
+                            "name": "senderHostname",
+                            "type": "string"
+                        },
+                        {
+                            "name": "serverIp",
+                            "type": "string"
+                        },
+                        {
+                            "name": "sourceContext",
+                            "type": "string"
+                        },
+                        {
+                            "name": "schemaVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "messageTrackingTenantId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "totalBytes",
+                            "type": "string"
+                        },
+                        {
+                            "name": "transportTrafficType",
+                            "type": "string"
+                        },
+                        {
+                            "name": "FilePath",
+                            "type": "string"
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json
index 9404db100a3..7786f9d9160 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json	
@@ -40,7 +40,7 @@
     }
     },
     "variables": {
-        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
+        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
         "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]"
     },
     "resources": [
@@ -49,7 +49,6 @@
             "apiVersion": "2021-12-01-preview",
             "name": "[concat(parameters('workspacename'), '/MessageTrackingLog_CL')]",
             "properties": {
-                "totalRetentionInDays": 90,
                 "plan": "Analytics",
                 "schema": {
                     "name": "MessageTrackingLog_CL",
@@ -173,10 +172,13 @@
                         {
                             "name": "transportTrafficType",
                             "type": "string"
+                        },
+                        {
+                            "name": "FilePath",
+                            "type": "string"
                         }
                     ]
-                },
-                "retentionInDays": 90
+                }
             }
         },
         {
@@ -194,123 +196,15 @@
                     "Custom-MessageTrackingLog_CL": {
                         "columns": [
                             {
-                                "name": "date-time",
+                                "name": "TimeGenerated",
                                 "type": "datetime"
                             },
                             {
-                                "name": "client-ip",
-                                "type": "string"
-                            },
-                            {
-                                "name": "client-hostname",
-                                "type": "string"
-                            },
-                            {
-                                "name": "server-ip",
-                                "type": "string"
-                            },
-                            {
-                                "name": "server-hostname",
-                                "type": "string"
-                            },
-                            {
-                                "name": "source-context",
-                                "type": "string"
-                            },
-                            {
-                                "name": "connector-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "source",
-                                "type": "string"
-                            },
-                            {
-                                "name": "event-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "internal-message-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "message-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "network-message-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "recipient-address",
-                                "type": "string"
-                            },
-                            {
-                                "name": "recipient-status",
-                                "type": "string"
-                            },
-                            {
-                                "name": "total-bytes",
-                                "type": "string"
-                            },
-                            {
-                                "name": "recipient-count",
-                                "type": "string"
-                            },
-                            {
-                                "name": "related-recipient-address",
-                                "type": "string"
-                            },
-                            {
-                                "name": "reference",
-                                "type": "string"
-                            },
-                            {
-                                "name": "message-subject",
-                                "type": "string"
-                            },
-                            {
-                                "name": "sender-address",
-                                "type": "string"
-                            },
-                            {
-                                "name": "return-path",
-                                "type": "string"
-                            },
-                            {
-                                "name": "message-info",
-                                "type": "string"
-                            },
-                            {
-                                "name": "directionality",
-                                "type": "string"
-                            },
-                            {
-                                "name": "tenant-id",
-                                "type": "string"
-                            },
-                            {
-                                "name": "original-client-ip",
-                                "type": "string"
-                            },
-                            {
-                                "name": "original-server-ip",
-                                "type": "string"
-                            },
-                            {
-                                "name": "custom-data",
-                                "type": "string"
-                            },
-                            {
-                                "name": "transport-traffic-type",
-                                "type": "string"
-                            },
-                            {
-                                "name": "log-id",
+                                "name": "RawData",
                                 "type": "string"
                             },
                             {
-                                "name": "schema-version",
+                                "name": "FilePath",
                                 "type": "string"
                             }
                         ]
@@ -351,7 +245,7 @@
                         "destinations": [
                             "la-data-destination"
                         ],
-                        "transformKql": "source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n    clientHostname = ['client-hostname'],\n    clientIP = ['client-ip'],\n    connectorId = ['connector-id'],\n    customData = ['custom-data'],\n    eventId = ['event-id'],\n    internalMessageId = ['internal-message-id'],\n    logId = ['log-id'],\n    messageId = ['message-id'],\n    messageInfo = ['message-info'],\n    messageSubject = ['message-subject'],\n    networkMessageId = ['network-message-id'],\n    originalClientIp =  ['original-client-ip'],\n    originalServerIp = ['original-server-ip'],\n    recipientAddress= ['recipient-address'],\n    recipientCount= ['recipient-count'],\n    recipientStatus= ['recipient-status'],\n    relatedRecipientAddress= ['related-recipient-address'],\n    returnPath= ['return-path'],\n    senderAddress= ['sender-address'],\n    senderHostname= ['server-hostname'],\n    serverIp= ['server-ip'],\n    sourceContext= ['source-context'],\n    schemaVersion=['schema-version'],\n    messageTrackingTenantId = ['tenant-id'],\n    totalBytes = ['total-bytes'],\n    transportTrafficType = ['transport-traffic-type']\n| project-away\n    ['client-ip'],\n    ['client-hostname'],\n    ['connector-id'],\n    ['custom-data'],\n    ['date-time'],\n    ['event-id'],\n    ['internal-message-id'],\n    ['log-id'],\n    ['message-id'],\n    ['message-info'],\n    ['message-subject'],\n    ['network-message-id'],\n    ['original-client-ip'],\n    ['original-server-ip'],\n    ['recipient-address'],\n    ['recipient-count'],\n    ['recipient-status'],\n    ['related-recipient-address'],\n    ['return-path'],\n    ['sender-address'],\n    ['server-hostname'],\n    ['server-ip'],\n    ['source-context'],\n    ['schema-version'],\n    ['tenant-id'],\n    ['total-bytes'],\n    ['transport-traffic-type']\n\n",
+                        "transformKql": "source\n| extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData",
                         "outputStream": "Custom-MessageTrackingLog_CL"
                     }
                 ]
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json
new file mode 100644
index 00000000000..87a869d2ed2
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json	
@@ -0,0 +1,336 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+    "workspacename": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The log analitycs workspace name"
+      }
+    },
+     "customtablename": {
+      "type": "string",
+      "defaultValue": "ExchangeHttpProxy_CL",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the Custom Table to create. By default uses 'ExchangeHttpProxy_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts  ."
+      }
+    }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.OperationalInsights/workspaces/tables",
+            "apiVersion": "2021-12-01-preview",
+            "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]",
+            "properties": {
+                "plan": "Analytics",
+                "schema": {
+                    "name": "[parameters('customtablename')]",
+                    "columns": [
+                        {
+                            "name": "AccountForestLatencyBreakup",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ActivityContextLifeTime",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ADLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "AnchorMailbox",
+                            "type": "string"
+                        },
+                        {
+                            "name": "AuthenticatedUser",
+                            "type": "string"
+                        },
+                        {
+                            "name": "AuthenticationType",
+                            "type": "string"
+                        },
+                        {
+                            "name": "AuthModulePerfContext",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackEndCookie",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackEndGenericInfo",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackendProcessingLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackendReqInitLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackendReqStreamLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackendRespInitLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackendRespStreamLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BackEndStatus",
+                            "type": "string"
+                        },
+                        {
+                            "name": "BuildVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "CalculateTargetBackEndLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ClientIpAddress",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ClientReqStreamLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ClientRequestId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ClientRespStreamLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "CoreLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "DatabaseGuid",
+                            "type": "string"
+                        },
+                        {
+                            "name": "EdgeTraceId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ErrorCode",
+                            "type": "string"
+                        },
+                        {
+                            "name": "GenericErrors",
+                            "type": "string"
+                        },
+                        {
+                            "name": "GenericInfo",
+                            "type": "string"
+                        },
+                        {
+                            "name": "GlsLatencyBreakup",
+                            "type": "string"
+                        },
+                        {
+                            "name": "HandlerCompletionLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "HandlerToModuleSwitchingLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "HttpPipelineLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "HttpProxyOverhead",
+                            "type": "string"
+                        },
+                        {
+                            "name": "HttpStatus",
+                            "type": "string"
+                        },
+                        {
+                            "name": "IsAuthenticated",
+                            "type": "string"
+                        },
+                        {
+                            "name": "KerberosAuthHeaderLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "MajorVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "Method",
+                            "type": "string"
+                        },
+                        {
+                            "name": "MinorVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ModuleToHandlerSwitchingLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "Organization",
+                            "type": "string"
+                        },
+                        {
+                            "name": "PartitionEndpointLookupLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "Protocol",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ProtocolAction",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ProxyAction",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ProxyTime",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RequestBytes",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RequestHandlerLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RequestId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ResourceForestLatencyBreakup",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ResponseBytes",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RevisionVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RouteRefresherLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RoutingHint",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RoutingLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RoutingStatus",
+                            "type": "string"
+                        },
+                        {
+                            "name": "RoutingType",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ServerHostName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ServerLocatorHost",
+                            "type": "string"
+                        },
+                        {
+                            "name": "ServerLocatorLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "SharedCacheLatencyBreakup",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TargetOutstandingRequests",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TargetServer",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TargetServerVersion",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TotalAccountForestLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TotalGlsLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TotalRequestTime",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TotalResourceForestLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TotalSharedCacheLatency",
+                            "type": "string"
+                        },
+                        {
+                            "name": "UrlHost",
+                            "type": "string"
+                        },
+                        {
+                            "name": "UrlQuery",
+                            "type": "string"
+                        },
+                        {
+                            "name": "UrlStem",
+                            "type": "string"
+                        },
+                        {
+                            "name": "UserADObjectGuid",
+                            "type": "string"
+                        },
+                        {
+                            "name": "UserAgent",
+                            "type": "string"
+                        },
+                        {
+                            "name": "TimeGenerated",
+                            "type": "datetime"
+                        },
+                        {
+                            "name": "FilePath",
+                            "type": "string"
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json
index 737dee3b406..657121bf321 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json	
@@ -40,7 +40,7 @@
     }
     },
     "variables": {
-        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
+        "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",
         "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]"
     },
     "resources": [
@@ -49,7 +49,6 @@
             "apiVersion": "2021-12-01-preview",
             "name": "[concat(parameters('workspacename'), '/ExchangeHttpProxy_CL')]",
             "properties": {
-                "totalRetentionInDays": 90,
                 "plan": "Analytics",
                 "schema": {
                     "name": "ExchangeHttpProxy_CL",
@@ -349,10 +348,13 @@
                         {
                             "name": "TimeGenerated",
                             "type": "datetime"
+                        },
+                        {
+                            "name": "FilePath",
+                            "type": "string"
                         }
                     ]
-                },
-                "retentionInDays": 90
+                }
             }
         },
         {
@@ -374,299 +376,11 @@
                                 "type": "datetime"
                             },
                             {
-                                "name": "DateTime",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RequestId",
-                                "type": "string"
-                            },
-                            {
-                                "name": "MajorVersion",
-                                "type": "string"
-                            },
-                            {
-                                "name": "MinorVersion",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BuildVersion",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RevisionVersion",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ClientRequestId",
-                                "type": "string"
-                            },
-                            {
-                                "name": "Protocol",
-                                "type": "string"
-                            },
-                            {
-                                "name": "UrlHost",
-                                "type": "string"
-                            },
-                            {
-                                "name": "UrlStem",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ProtocolAction",
-                                "type": "string"
-                            },
-                            {
-                                "name": "AuthenticationType",
-                                "type": "string"
-                            },
-                            {
-                                "name": "IsAuthenticated",
-                                "type": "string"
-                            },
-                            {
-                                "name": "AuthenticatedUser",
-                                "type": "string"
-                            },
-                            {
-                                "name": "Organization",
-                                "type": "string"
-                            },
-                            {
-                                "name": "AnchorMailbox",
-                                "type": "string"
-                            },
-                            {
-                                "name": "UserAgent",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ClientIpAddress",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ServerHostName",
-                                "type": "string"
-                            },
-                            {
-                                "name": "HttpStatus",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackEndStatus",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ErrorCode",
-                                "type": "string"
-                            },
-                            {
-                                "name": "Method",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ProxyAction",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TargetServer",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TargetServerVersion",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RoutingType",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RoutingHint",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackEndCookie",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ServerLocatorHost",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ServerLocatorLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RequestBytes",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ResponseBytes",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TargetOutstandingRequests",
-                                "type": "string"
-                            },
-                            {
-                                "name": "AuthModulePerfContext",
-                                "type": "string"
-                            },
-                            {
-                                "name": "HttpPipelineLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "CalculateTargetBackEndLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "GlsLatencyBreakup",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TotalGlsLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "AccountForestLatencyBreakup",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TotalAccountForestLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ResourceForestLatencyBreakup",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TotalResourceForestLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ADLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "SharedCacheLatencyBreakup",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TotalSharedCacheLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ActivityContextLifeTime",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ModuleToHandlerSwitchingLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ClientReqStreamLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackendReqInitLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackendReqStreamLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackendProcessingLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackendRespInitLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackendRespStreamLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ClientRespStreamLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "KerberosAuthHeaderLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "HandlerCompletionLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RequestHandlerLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "HandlerToModuleSwitchingLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "ProxyTime",
-                                "type": "string"
-                            },
-                            {
-                                "name": "CoreLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RoutingLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "HttpProxyOverhead",
-                                "type": "string"
-                            },
-                            {
-                                "name": "TotalRequestTime",
-                                "type": "string"
-                            },
-                            {
-                                "name": "RouteRefresherLatency",
-                                "type": "string"
-                            },
-                            {
-                                "name": "UrlQuery",
-                                "type": "string"
-                            },
-                            {
-                                "name": "BackEndGenericInfo",
-                                "type": "string"
-                            },
-                            {
-                                "name": "GenericInfo",
-                                "type": "string"
-                            },
-                            {
-                                "name": "GenericErrors",
-                                "type": "string"
-                            },
-                            {
-                                "name": "EdgeTraceId",
-                                "type": "string"
-                            },
-                            {
-                                "name": "DatabaseGuid",
-                                "type": "string"
-                            },
-                            {
-                                "name": "UserADObjectGuid",
-                                "type": "string"
-                            },
-                            {
-                                "name": "PartitionEndpointLookupLatency",
+                                "name": "RawData",
                                 "type": "string"
                             },
                             {
-                                "name": "RoutingStatus",
+                                "name": "FilePath",
                                 "type": "string"
                             }
                         ]
@@ -716,7 +430,7 @@
                         "destinations": [
                             "la-data-destination"
                         ],
-                        "transformKql": "source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n\n",
+                        "transformKql": "source | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime  | project-away d,RawData,DateTime | project-away d,RawData,DateTime",
                         "outputStream": "Custom-ExchangeHttpProxy_CL"
                     }
                 ]
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json
index 00c0c0a44c9..c7462b84ea1 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json	
@@ -5,13 +5,20 @@
   "Description": "The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)",
   "Data Connectors": [
     "Data Connectors/ESI-ExchangeAdminAuditLogEvents.json",
-    "Data Connectors/ESI-ExchangeOnPremisesCollector.json"
+    "Data Connectors/ESI-ExchangeOnPremisesCollector.json",
+    "Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json",
+    "Data Connectors/ESI-Opt2ExchangeServersEventLogs.json",
+    "Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json",
+    "Data Connectors/ESI-Opt5ExchangeIISLogs.json",
+    "Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json",
+    "Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json"
   ],
   "Parsers": [
     "Parsers/ExchangeAdminAuditLogs.yaml",
     "Parsers/ExchangeConfiguration.yaml",
     "Parsers/ExchangeEnvironmentList.yaml",
-    "Parsers/MESCheckVIP.yaml"
+    "Parsers/MESCheckVIP.yaml",
+    "Parsers/MESCompareDataOnPMRA.yaml"
   ],
   "Workbooks": [
     "Workbooks/Microsoft Exchange Least Privilege with RBAC.json",
@@ -28,7 +35,7 @@
     "Watchlists/ExchangeVIP.json"
   ],
   "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\",
-  "Version": "3.1.5",
+  "Version": "3.3.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip
new file mode 100644
index 00000000000..2d56ee0620f
Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip differ
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json
index 354722fba77..20ce28013be 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 8, **Parsers:** 5, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,57 +60,64 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs two (2) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events."
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.Section",
-            "label": "1. Exchange Security Insights On-Premises Collector",
-            "elements": [
-              {
-                "name": "dataconnectors3-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This data connector collects security configuration, RBAC information and audit information from your on-premises Exchange environment(s). It uses a scheduled script that needs to be manually deployed in your environment. This connects directly (via proxy if needed) to Log Analytics/Microsoft Sentinel to ingest data."
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors3-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
-              }
-            ]
           },
           {
             "name": "dataconnectors4-text",
-            "type": "Microsoft.Common.Section",
-            "label": "2. Exchange Audit Event logs via Legacy Agent",
-            "elements": [
-              {
-                "name": "dataconnectors5-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "This data connector uses Log Analytics Agent or Azure Monitor Agent to collect MSExchange Management Eventlogs, Exchange Security logs, Domain Controllers Security logs, IIS Logs, Exchange logs. Not all logs are required but it depends on your needs and on what you want to collect and secure for hunting in case of compromise. The first important logs consumed by this solution are “MSExchange Management” Event logs."
-                }
-              }
-            ]
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors5-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           },
           {
             "name": "dataconnectors6-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors7-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
-            "name": "dataconnectors-parser",	
-            "type": "Microsoft.Common.Section",	
-            "label": "Parsers",	
-            "elements": [	
+            "name": "dataconnectors8-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs four (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
-          }
-        ]
           },
           {
             "name": "dataconnectors-link2",
@@ -321,4 +328,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json
index b2e9d5ed6cd..8161f1dc1f8 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json	
@@ -81,7 +81,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Microsoft Exchange Security - Exchange On-Premises",
-    "_solutionVersion": "3.1.5",
+    "_solutionVersion": "3.3.0",
     "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "ESI-ExchangeAdminAuditLogEvents",
@@ -91,7 +91,7 @@
     "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
     "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
-    "dataConnectorVersion1": "2.2.1",
+    "dataConnectorVersion1": "2.2.2",
     "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
     "uiConfigId2": "ESI-ExchangeOnPremisesCollector",
     "_uiConfigId2": "[variables('uiConfigId2')]",
@@ -100,8 +100,62 @@
     "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
     "_dataConnectorId2": "[variables('dataConnectorId2')]",
     "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
-    "dataConnectorVersion2": "1.2.1",
+    "dataConnectorVersion2": "1.2.2",
     "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+    "uiConfigId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs",
+    "_uiConfigId3": "[variables('uiConfigId3')]",
+    "dataConnectorContentId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs",
+    "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]",
+    "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+    "_dataConnectorId3": "[variables('dataConnectorId3')]",
+    "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]",
+    "dataConnectorVersion3": "1.0.0",
+    "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]",
+    "uiConfigId4": "ESI-Opt2ExchangeServersEventLogs",
+    "_uiConfigId4": "[variables('uiConfigId4')]",
+    "dataConnectorContentId4": "ESI-Opt2ExchangeServersEventLogs",
+    "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]",
+    "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+    "_dataConnectorId4": "[variables('dataConnectorId4')]",
+    "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]",
+    "dataConnectorVersion4": "1.0.0",
+    "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]",
+    "uiConfigId5": "ESI-Opt34DomainControllersSecurityEventLogs",
+    "_uiConfigId5": "[variables('uiConfigId5')]",
+    "dataConnectorContentId5": "ESI-Opt34DomainControllersSecurityEventLogs",
+    "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]",
+    "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+    "_dataConnectorId5": "[variables('dataConnectorId5')]",
+    "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]",
+    "dataConnectorVersion5": "1.0.0",
+    "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]",
+    "uiConfigId6": "ESI-Opt5ExchangeIISLogs",
+    "_uiConfigId6": "[variables('uiConfigId6')]",
+    "dataConnectorContentId6": "ESI-Opt5ExchangeIISLogs",
+    "_dataConnectorContentId6": "[variables('dataConnectorContentId6')]",
+    "dataConnectorId6": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+    "_dataConnectorId6": "[variables('dataConnectorId6')]",
+    "dataConnectorTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId6'))))]",
+    "dataConnectorVersion6": "1.0.0",
+    "_dataConnectorcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId6'),'-', variables('dataConnectorVersion6'))))]",
+    "uiConfigId7": "ESI-Opt6ExchangeMessageTrackingLogs",
+    "_uiConfigId7": "[variables('uiConfigId7')]",
+    "dataConnectorContentId7": "ESI-Opt6ExchangeMessageTrackingLogs",
+    "_dataConnectorContentId7": "[variables('dataConnectorContentId7')]",
+    "dataConnectorId7": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+    "_dataConnectorId7": "[variables('dataConnectorId7')]",
+    "dataConnectorTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId7'))))]",
+    "dataConnectorVersion7": "1.0.0",
+    "_dataConnectorcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId7'),'-', variables('dataConnectorVersion7'))))]",
+    "uiConfigId8": "ESI-Opt7ExchangeHTTPProxyLogs",
+    "_uiConfigId8": "[variables('uiConfigId8')]",
+    "dataConnectorContentId8": "ESI-Opt7ExchangeHTTPProxyLogs",
+    "_dataConnectorContentId8": "[variables('dataConnectorContentId8')]",
+    "dataConnectorId8": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+    "_dataConnectorId8": "[variables('dataConnectorId8')]",
+    "dataConnectorTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId8'))))]",
+    "dataConnectorVersion8": "1.0.0",
+    "_dataConnectorcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId8'),'-', variables('dataConnectorVersion8'))))]",
     "parserObject1": {
       "_parserName1": "[concat(parameters('workspace'),'/','ExchangeAdminAuditLogs Data Parser')]",
       "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
@@ -130,6 +184,13 @@
       "parserVersion4": "1.0.0",
       "parserContentId4": "MESCheckVIP-Parser"
     },
+    "parserObject5": {
+      "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataOnPMRA')]",
+      "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+      "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataOnPMRA-Parser')))]",
+      "parserVersion5": "1.0.0",
+      "parserContentId5": "MESCompareDataOnPMRA-Parser"
+    },
     "workbookVersion1": "1.0.1",
     "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -149,7 +210,7 @@
     "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
     "_workbookContentId3": "[variables('workbookContentId3')]",
     "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
-    "workbookVersion4": "1.0.1",
+    "workbookVersion4": "2.0.0",
     "workbookContentId4": "MicrosoftExchangeSecurityReview",
     "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]",
     "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]",
@@ -185,7 +246,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5",
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -201,9 +262,9 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "Microsoft Exchange Logs and Events",
+                  "title": "[Deprecated] Microsoft Exchange Logs and Events",
                   "publisher": "Microsoft",
-                  "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+                  "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
                   "graphQueries": [
                     {
                       "metricName": "Total data received",
@@ -301,35 +362,14 @@
                     "customs": [
                       {
                         "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
                       }
                     ]
                   },
                   "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
-                            "instructionSteps": [
-                              {
-                                "title": "1. Download the Parser file",
-                                "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
-                              },
-                              {
-                                "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
-                                "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                              },
-                              {
-                                "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
-                                "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
-                              }
-                            ]
-                          },
-                          "type": "InstructionStepsGroup"
-                        }
-                      ]
-                    },
                     {
                       "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
                     },
@@ -409,7 +449,7 @@
                                                           "instructionSteps": [
                                                             {
                                                               "title": "A. Create DCR, Type Event log",
-                                                              "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                              "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
                                                             }
                                                           ]
                                                         },
@@ -429,7 +469,7 @@
                                         },
                                         {
                                           "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
-                                          "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
+                                          "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
                                           "instructions": [
                                             {
                                               "parameters": {
@@ -890,15 +930,52 @@
                         }
                       ],
                       "title": "2.  Deploy log injestion following choosed options"
+                    },
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                            "instructionSteps": [
+                              {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "1. Download the Parser file",
+                                          "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                        },
+                                        {
+                                          "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                        },
+                                        {
+                                          "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
                     }
                   ],
                   "metadata": {
                     "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9",
-                    "version": "2.2.1",
+                    "version": "2.2.2",
                     "kind": "dataConnector",
                     "source": {
                       "kind": "solution",
-                      "name": "ESI - Exchange Security Configuration Analyzer"
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
                     },
                     "support": {
                       "name": "Community",
@@ -946,7 +1023,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_dataConnectorContentId1')]",
         "contentKind": "DataConnector",
-        "displayName": "Microsoft Exchange Logs and Events",
+        "displayName": "[Deprecated] Microsoft Exchange Logs and Events",
         "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
         "id": "[variables('_dataConnectorcontentProductId1')]",
         "version": "[variables('dataConnectorVersion1')]"
@@ -989,9 +1066,9 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "Microsoft Exchange Logs and Events",
+          "title": "[Deprecated] Microsoft Exchange Logs and Events",
           "publisher": "Microsoft",
-          "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+          "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
           "graphQueries": [
             {
               "metricName": "Total data received",
@@ -1089,35 +1166,14 @@
             "customs": [
               {
                 "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
               }
             ]
           },
           "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
-              "instructions": [
-                {
-                  "parameters": {
-                    "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
-                    "instructionSteps": [
-                      {
-                        "title": "1. Download the Parser file",
-                        "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
-                      },
-                      {
-                        "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
-                        "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                      },
-                      {
-                        "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
-                        "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
-                      }
-                    ]
-                  },
-                  "type": "InstructionStepsGroup"
-                }
-              ]
-            },
             {
               "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
             },
@@ -1197,7 +1253,7 @@
                                                   "instructionSteps": [
                                                     {
                                                       "title": "A. Create DCR, Type Event log",
-                                                      "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                      "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
                                                     }
                                                   ]
                                                 },
@@ -1217,7 +1273,7 @@
                                 },
                                 {
                                   "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
-                                  "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
+                                  "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1.  Under workspace **Legacy agents management**, select **Windows Event logs**.\n2.  Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3.  Collect Error, Warning and Information types\n4.  Click **Save**.",
                                   "instructions": [
                                     {
                                       "parameters": {
@@ -1678,6 +1734,43 @@
                 }
               ],
               "title": "2.  Deploy log injestion following choosed options"
+            },
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                    "instructionSteps": [
+                      {
+                        "title": "Manual Parser Deployment",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "1. Download the Parser file",
+                                  "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                },
+                                {
+                                  "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                },
+                                {
+                                  "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
             }
           ],
           "id": "[variables('_uiConfigId1')]"
@@ -1693,7 +1786,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5",
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1709,7 +1802,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId2')]",
-                  "title": "Exchange Security Insights On-Premise Collector",
+                  "title": "Exchange Security Insights On-Premises Collector",
                   "publisher": "Microsoft",
                   "descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis",
                   "graphQueries": [
@@ -1728,7 +1821,7 @@
                   "dataTypes": [
                     {
                       "name": "ESIExchangeConfig_CL",
-                      "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+                      "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
                     }
                   ],
                   "connectivityCriterias": [
@@ -1770,40 +1863,14 @@
                       {
                         "name": "Service Account with Organization Management role",
                         "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
                       }
                     ]
                   },
                   "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "title": "Parsers deployment",
-                            "instructionSteps": [
-                              {
-                                "title": "1. Download the Parser files",
-                                "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
-                              },
-                              {
-                                "title": "2. Create Parser **ExchangeConfiguration** function",
-                                "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                              },
-                              {
-                                "title": "3. Save Parser **ExchangeConfiguration** function",
-                                "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
-                              },
-                              {
-                                "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
-                                "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
-                              }
-                            ]
-                          },
-                          "type": "InstructionStepsGroup"
-                        }
-                      ],
-                      "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**"
-                    },
                     {
                       "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
                       "instructions": [
@@ -1861,11 +1928,48 @@
                     {
                       "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management",
                       "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)"
+                    },
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                            "instructionSteps": [
+                              {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "1. Download the Parser file",
+                                          "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                        },
+                                        {
+                                          "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                        },
+                                        {
+                                          "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
                     }
                   ],
                   "metadata": {
                     "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d",
-                    "version": "1.2.1",
+                    "version": "1.2.2",
                     "kind": "dataConnector",
                     "source": {
                       "kind": "solution",
@@ -1917,7 +2021,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_dataConnectorContentId2')]",
         "contentKind": "DataConnector",
-        "displayName": "Exchange Security Insights On-Premise Collector",
+        "displayName": "Exchange Security Insights On-Premises Collector",
         "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
         "id": "[variables('_dataConnectorcontentProductId2')]",
         "version": "[variables('dataConnectorVersion2')]"
@@ -1960,7 +2064,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "Exchange Security Insights On-Premise Collector",
+          "title": "Exchange Security Insights On-Premises Collector",
           "publisher": "Microsoft",
           "descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis",
           "graphQueries": [
@@ -1973,7 +2077,7 @@
           "dataTypes": [
             {
               "name": "ESIExchangeConfig_CL",
-              "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+              "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
             }
           ],
           "connectivityCriterias": [
@@ -2021,40 +2125,14 @@
               {
                 "name": "Service Account with Organization Management role",
                 "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
               }
             ]
           },
           "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
-              "instructions": [
-                {
-                  "parameters": {
-                    "title": "Parsers deployment",
-                    "instructionSteps": [
-                      {
-                        "title": "1. Download the Parser files",
-                        "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
-                      },
-                      {
-                        "title": "2. Create Parser **ExchangeConfiguration** function",
-                        "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
-                      },
-                      {
-                        "title": "3. Save Parser **ExchangeConfiguration** function",
-                        "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
-                      },
-                      {
-                        "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
-                        "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
-                      }
-                    ]
-                  },
-                  "type": "InstructionStepsGroup"
-                }
-              ],
-              "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**"
-            },
             {
               "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
               "instructions": [
@@ -2112,6 +2190,43 @@
             {
               "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management",
               "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)"
+            },
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                    "instructionSteps": [
+                      {
+                        "title": "Manual Parser Deployment",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "1. Download the Parser file",
+                                  "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                },
+                                {
+                                  "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                },
+                                {
+                                  "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
             }
           ],
           "id": "[variables('_uiConfigId2')]"
@@ -2121,76 +2236,2828 @@
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('parserObject1').parserTemplateSpecName1]",
+      "name": "[variables('dataConnectorTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeAdminAuditLogs Data Parser with template version 3.1.5",
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('parserObject1').parserVersion1]",
+          "contentVersion": "[variables('dataConnectorVersion3')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "name": "[variables('parserObject1')._parserName1]",
-              "apiVersion": "2022-10-01",
-              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
               "properties": {
-                "eTag": "*",
-                "displayName": "Parser for ExchangeAdminAuditLogs",
-                "category": "Microsoft Sentinel Parser",
-                "functionAlias": "ExchangeAdminAuditLogs",
-                "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n    let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n        \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n    let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n    let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n    let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n    let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n    let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n    let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n    let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n    let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n    union isfuzzy=true withsource=TableName \n        SearchUserDisplayName, \n        SearchUserUPN, \n        SearchUserCanonicalName, \n        SearchUserSAMAccountName,\n        SearchUserObjectSID,\n        SearchUserObjectGUID,\n        SearchUserDistinguishedName\n    };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n    | where EventLog == 'MSExchange Management'\n    | where EventID in (1,6) // 1 = Success, 6 = Failure\n    | parse ParameterXml with '<Param>' CmdletName '</Param><Param>' CmdletParameters '</Param><Param>' Caller '</Param><Param>' *\n    | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n    | extend Status = case( EventID == 1, 'Success', 'Failure')\n    | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n    | extend IsVIP = iif(SearchKey == \"\", false, true)\n    | join kind=leftouter  ( \n        MESCheckVIP() ) on SearchKey\n    | extend CmdletNameJoin = tolower(CmdletName)\n    | join kind=leftouter  ( \n        CmdletCheck\n    | extend CmdletNameJoin = tolower(Cmdlet)\n    ) on CmdletNameJoin\n    | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n    | join kind=leftouter  ( \n        Env\n    ) on $left.DomainEnv == $right.DomainFQDN_\n    | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n    | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n    | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n    | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n    | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n    | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n    | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n    | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n",
-                "functionParameters": "",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": ""
-                  }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
-              "dependsOn": [
-                "[variables('parserObject1')._parserId1]"
-              ],
-              "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
-                "contentId": "[variables('parserObject1').parserContentId1]",
-                "kind": "Parser",
-                "version": "[variables('parserObject1').parserVersion1]",
-                "source": {
-                  "name": "Microsoft Exchange Security - Exchange On-Premises",
-                  "kind": "Solution",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Community",
-                  "tier": "Community",
-                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('parserObject1').parserContentId1]",
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId3')]",
+                  "title": "Microsoft Exchange Admin Audit Logs by Event Logs",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "ExchangeAuditLogs",
+                      "baseQuery": "Event | where EventLog == 'MSExchange Management'"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All Audit logs",
+                      "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "Event",
+                      "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "Event | where EventLog == 'MSExchange Management'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "DCR",
+                            "instructionSteps": [
+                              {
+                                "title": "Data Collection Rules Deployment",
+                                "description": "**Enable data collection rule**\n>  Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)",
+                                          "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                        },
+                                        {
+                                          "title": "Option 2 - Manual Deployment of Azure Automation",
+                                          "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCR, Type Event log",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Assign the DCR to all Exchange Servers",
+                                          "description": "Add all your Exchange Servers to the DCR"
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules"
+                    },
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                            "instructionSteps": [
+                              {
+                                "title": "Manual Parser Deployment",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "1. Download the Parser file",
+                                          "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                        },
+                                        {
+                                          "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                        },
+                                        {
+                                          "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                          "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
+                    }
+                  ],
+                  "metadata": {
+                    "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+                "contentId": "[variables('_dataConnectorContentId3')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion3')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId3')]",
+        "contentKind": "DataConnector",
+        "displayName": "Microsoft Exchange Admin Audit Logs by Event Logs",
+        "contentProductId": "[variables('_dataConnectorcontentProductId3')]",
+        "id": "[variables('_dataConnectorcontentProductId3')]",
+        "version": "[variables('dataConnectorVersion3')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId3')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+        "contentId": "[variables('_dataConnectorContentId3')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion3')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Microsoft Exchange Admin Audit Logs by Event Logs",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "ExchangeAuditLogs",
+              "baseQuery": "Event | where EventLog == 'MSExchange Management'"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "Event",
+              "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "Event | where EventLog == 'MSExchange Management'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All Audit logs",
+              "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "DCR",
+                    "instructionSteps": [
+                      {
+                        "title": "Data Collection Rules Deployment",
+                        "description": "**Enable data collection rule**\n>  Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)",
+                                  "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                },
+                                {
+                                  "title": "Option 2 - Manual Deployment of Azure Automation",
+                                  "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCR, Type Event log",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Assign the DCR to all Exchange Servers",
+                                  "description": "Add all your Exchange Servers to the DCR"
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules"
+            },
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+                    "instructionSteps": [
+                      {
+                        "title": "Manual Parser Deployment",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "1. Download the Parser file",
+                                  "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+                                },
+                                {
+                                  "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+                                },
+                                {
+                                  "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+                                  "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
+            }
+          ],
+          "id": "[variables('_uiConfigId3')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName4')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion4')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId4')]",
+                  "title": "Microsoft Exchange Logs and Events",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Exchange Eventlogs",
+                      "baseQuery": "Event | where EventLog == 'Application'"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All Audit logs",
+                      "query": "Event | where EventLog == 'Application' | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "Event",
+                      "lastDataReceivedQuery": "Event | where EventLog == 'Application'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "Event | where EventLog == 'Application'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "name": "Azure Log Analytics will be deprecated",
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "Security Event log collection",
+                            "instructionSteps": [
+                              {
+                                "title": "Data Collection Rules - Security Event logs",
+                                "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "linkType": "OpenCreateDataCollectionRule",
+                                      "dataCollectionRuleType": 0
+                                    },
+                                    "type": "InstallAgent"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        },
+                        {
+                          "parameters": {
+                            "title": "Application and System Event log collection",
+                            "instructionSteps": [
+                              {
+                                "title": "Enable data collection rule",
+                                "description": ">  Application and System Events logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)",
+                                          "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                        },
+                                        {
+                                          "title": "Option 2 - Manual Deployment of Azure Automation",
+                                          "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCR, Type Event log",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Assign the DCR to all Exchange Servers",
+                                          "description": "Add all your Exchange Servers to the DCR"
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "2. [Option 2] Security/Application/System logs of Exchange Servers"
+                    }
+                  ],
+                  "metadata": {
+                    "id": "22e0234b-278d-40f4-8be8-c2968faeaf91",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+                "contentId": "[variables('_dataConnectorContentId4')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion4')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId4')]",
+        "contentKind": "DataConnector",
+        "displayName": "Microsoft Exchange Logs and Events",
+        "contentProductId": "[variables('_dataConnectorcontentProductId4')]",
+        "id": "[variables('_dataConnectorcontentProductId4')]",
+        "version": "[variables('dataConnectorVersion4')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId4')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+        "contentId": "[variables('_dataConnectorContentId4')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion4')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Microsoft Exchange Logs and Events",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Exchange Eventlogs",
+              "baseQuery": "Event | where EventLog == 'Application'"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "Event",
+              "lastDataReceivedQuery": "Event | where EventLog == 'Application'  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "Event | where EventLog == 'Application'  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All Audit logs",
+              "query": "Event | where EventLog == 'Application' | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "Security Event log collection",
+                    "instructionSteps": [
+                      {
+                        "title": "Data Collection Rules - Security Event logs",
+                        "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "linkType": "OpenCreateDataCollectionRule",
+                              "dataCollectionRuleType": 0
+                            },
+                            "type": "InstallAgent"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                },
+                {
+                  "parameters": {
+                    "title": "Application and System Event log collection",
+                    "instructionSteps": [
+                      {
+                        "title": "Enable data collection rule",
+                        "description": ">  Application and System Events logs are collected only from **Windows** agents.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)",
+                                  "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                },
+                                {
+                                  "title": "Option 2 - Manual Deployment of Azure Automation",
+                                  "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCR, Type Event log",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Assign the DCR to all Exchange Servers",
+                                  "description": "Add all your Exchange Servers to the DCR"
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "2. [Option 2] Security/Application/System logs of Exchange Servers"
+            }
+          ],
+          "id": "[variables('_uiConfigId4')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName5')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion5')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId5')]",
+                  "title": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Domain Controllers Security Logs",
+                      "baseQuery": "SecurityEvent"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All Audit logs",
+                      "query": "SecurityEvent | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "SecurityEvent",
+                      "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step",
+                                "description": "**This limits the quantity of data injested but some incident can't be detected.**"
+                              },
+                              {
+                                "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step",
+                                "description": "**This allows collecting all security events**"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        },
+                        {
+                          "parameters": {
+                            "title": "Security Event log collection",
+                            "instructionSteps": [
+                              {
+                                "title": "Data Collection Rules - Security Event logs",
+                                "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "linkType": "OpenCreateDataCollectionRule",
+                                      "dataCollectionRuleType": 0
+                                    },
+                                    "type": "InstallAgent"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "Security logs of Domain Controllers"
+                    }
+                  ],
+                  "metadata": {
+                    "id": "036e16af-5a27-465a-8662-b7ac385a8d45",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+                "contentId": "[variables('_dataConnectorContentId5')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion5')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId5')]",
+        "contentKind": "DataConnector",
+        "displayName": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+        "contentProductId": "[variables('_dataConnectorcontentProductId5')]",
+        "id": "[variables('_dataConnectorcontentProductId5')]",
+        "version": "[variables('dataConnectorVersion5')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId5')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+        "contentId": "[variables('_dataConnectorContentId5')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion5')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Domain Controllers Security Logs",
+              "baseQuery": "SecurityEvent"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "SecurityEvent",
+              "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All Audit logs",
+              "query": "SecurityEvent | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step",
+                        "description": "**This limits the quantity of data injested but some incident can't be detected.**"
+                      },
+                      {
+                        "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step",
+                        "description": "**This allows collecting all security events**"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                },
+                {
+                  "parameters": {
+                    "title": "Security Event log collection",
+                    "instructionSteps": [
+                      {
+                        "title": "Data Collection Rules - Security Event logs",
+                        "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n>  **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "linkType": "OpenCreateDataCollectionRule",
+                              "dataCollectionRuleType": 0
+                            },
+                            "type": "InstallAgent"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "Security logs of Domain Controllers"
+            }
+          ],
+          "id": "[variables('_uiConfigId5')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName6')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion6')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId6')]",
+                  "title": "IIS Logs of Microsoft Exchange Servers",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Exchange IIS logs",
+                      "baseQuery": "W3CIISLog"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All Audit logs",
+                      "query": "W3CIISLog | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "W3CIISLog",
+                      "lastDataReceivedQuery": "W3CIISLog  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "W3CIISLog  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "Select how to stream IIS logs of Exchange Servers",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Enable data collection rule",
+                                "description": "> IIS logs are collected only from **Windows** agents.",
+                                "instructions": [
+                                  {
+                                    "type": "AdminAuditEvents"
+                                  },
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)",
+                                          "description": "Use this method for automated deployment of the DCE and DCR.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                  },
+                                                  {
+                                                    "title": "B. Deploy Data Connection Rule",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Option 2 - Manual Deployment of Azure Automation",
+                                          "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  },
+                                                  {
+                                                    "title": "B. Create DCR, Type IIS log",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Assign the DCR to all Exchange Servers",
+                                          "description": "Add all your Exchange Servers to the DCR"
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "[Option 5] IIS logs of Exchange Servers"
+                    }
+                  ],
+                  "metadata": {
+                    "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+                "contentId": "[variables('_dataConnectorContentId6')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion6')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId6')]",
+        "contentKind": "DataConnector",
+        "displayName": "IIS Logs of Microsoft Exchange Servers",
+        "contentProductId": "[variables('_dataConnectorcontentProductId6')]",
+        "id": "[variables('_dataConnectorcontentProductId6')]",
+        "version": "[variables('dataConnectorVersion6')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId6')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+        "contentId": "[variables('_dataConnectorContentId6')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion6')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "IIS Logs of Microsoft Exchange Servers",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Exchange IIS logs",
+              "baseQuery": "W3CIISLog"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "W3CIISLog",
+              "lastDataReceivedQuery": "W3CIISLog  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "W3CIISLog  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All Audit logs",
+              "query": "W3CIISLog | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "Select how to stream IIS logs of Exchange Servers",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Enable data collection rule",
+                        "description": "> IIS logs are collected only from **Windows** agents.",
+                        "instructions": [
+                          {
+                            "type": "AdminAuditEvents"
+                          },
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)",
+                                  "description": "Use this method for automated deployment of the DCE and DCR.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                          },
+                                          {
+                                            "title": "B. Deploy Data Connection Rule",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Option 2 - Manual Deployment of Azure Automation",
+                                  "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          },
+                                          {
+                                            "title": "B. Create DCR, Type IIS log",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Assign the DCR to all Exchange Servers",
+                                  "description": "Add all your Exchange Servers to the DCR"
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "[Option 5] IIS logs of Exchange Servers"
+            }
+          ],
+          "id": "[variables('_uiConfigId6')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName7')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion7')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId7')]",
+                  "title": "Microsoft Exchange Message Tracking Logs",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Exchange Message Tracking logs",
+                      "baseQuery": "MessageTrackingLog_CL"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Exchange Message Tracking logs",
+                      "query": "MessageTrackingLog_CL | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "MessageTrackingLog_CL",
+                      "lastDataReceivedQuery": "MessageTrackingLog_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "MessageTrackingLog_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "name": "Azure Log Analytics will be deprecated",
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "Select how to stream Message Tracking of Exchange Servers",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                                "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "Option 1 - Azure Resource Manager (ARM) Template",
+                                          "description": "Use this method for automated deployment of the DCE and DCR.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                  },
+                                                  {
+                                                    "title": "B. Deploy Data Connection Rule and Custom Table",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Option 2 - Manual Deployment of Azure Automation",
+                                          "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "Create Custom Table - Explanation",
+                                                    "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                                  },
+                                                  {
+                                                    "title": "Create Custom Table using an ARM Template",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                                  },
+                                                  {
+                                                    "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                                    "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t   \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t   \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            },
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  },
+                                                  {
+                                                    "title": "B. Create a DCR, Type Custom log",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR"
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Assign the DCR to all Exchange Servers",
+                                          "description": "Add all your Exchange Servers to the DCR"
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "2. Message Tracking of Exchange Servers"
+                    }
+                  ],
+                  "metadata": {
+                    "id": "ababbb06-b977-4259-ab76-87874d353039",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+                "contentId": "[variables('_dataConnectorContentId7')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion7')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId7')]",
+        "contentKind": "DataConnector",
+        "displayName": "Microsoft Exchange Message Tracking Logs",
+        "contentProductId": "[variables('_dataConnectorcontentProductId7')]",
+        "id": "[variables('_dataConnectorcontentProductId7')]",
+        "version": "[variables('dataConnectorVersion7')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId7')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+        "contentId": "[variables('_dataConnectorContentId7')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion7')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Microsoft Exchange Message Tracking Logs",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Exchange Message Tracking logs",
+              "baseQuery": "MessageTrackingLog_CL"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "MessageTrackingLog_CL",
+              "lastDataReceivedQuery": "MessageTrackingLog_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "MessageTrackingLog_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Exchange Message Tracking logs",
+              "query": "MessageTrackingLog_CL | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "Select how to stream Message Tracking of Exchange Servers",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                        "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "Option 1 - Azure Resource Manager (ARM) Template",
+                                  "description": "Use this method for automated deployment of the DCE and DCR.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                          },
+                                          {
+                                            "title": "B. Deploy Data Connection Rule and Custom Table",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Option 2 - Manual Deployment of Azure Automation",
+                                  "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "Create Custom Table - Explanation",
+                                            "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                          },
+                                          {
+                                            "title": "Create Custom Table using an ARM Template",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                          },
+                                          {
+                                            "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                            "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t   \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t   \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    },
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          },
+                                          {
+                                            "title": "B. Create a DCR, Type Custom log",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR"
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Assign the DCR to all Exchange Servers",
+                                  "description": "Add all your Exchange Servers to the DCR"
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "2. Message Tracking of Exchange Servers"
+            }
+          ],
+          "id": "[variables('_uiConfigId7')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName8')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion8')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId8')]",
+                  "title": "Microsoft Exchange HTTP Proxy Logs",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Exchange HTTPProxy logs",
+                      "baseQuery": "ExchangeHttpProxy_CL"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "All Audit logs",
+                      "query": "ExchangeHttpProxy_CL | sort by TimeGenerated"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "ExchangeHttpProxy_CL",
+                      "lastDataReceivedQuery": "ExchangeHttpProxy_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "ExchangeHttpProxy_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "name": "Azure Log Analytics will be deprecated",
+                        "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "name": "Detailled documentation",
+                        "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki."
+                    },
+                    {
+                      "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Deploy Monitor Agents",
+                                "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+                    },
+                    {
+                      "description": "Select how to stream HTTP Proxy of Exchange Servers",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "instructionSteps": [
+                              {
+                                "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                                "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "instructionSteps": [
+                                        {
+                                          "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)",
+                                          "description": "Use this method for automated deployment of the DCE and DCR.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                                  },
+                                                  {
+                                                    "title": "B. Deploy Data Connection Rule",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Option 2 - Manual Deployment of Azure Automation",
+                                          "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                          "instructions": [
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "Create Custom Table - Explanation",
+                                                    "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                                  },
+                                                  {
+                                                    "title": "Create Custom Table using an ARM Template",
+                                                    "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                                  },
+                                                  {
+                                                    "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                                    "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            },
+                                            {
+                                              "parameters": {
+                                                "instructionSteps": [
+                                                  {
+                                                    "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                                  },
+                                                  {
+                                                    "title": "B. Create a DCR, Type Custom log",
+                                                    "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime  | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR"
+                                                  }
+                                                ]
+                                              },
+                                              "type": "InstructionStepsGroup"
+                                            }
+                                          ]
+                                        },
+                                        {
+                                          "title": "Assign the DCR to all Exchange Servers",
+                                          "description": "Add all your Exchange Servers to the DCR"
+                                        }
+                                      ]
+                                    },
+                                    "type": "InstructionStepsGroup"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ],
+                      "title": "2. [Option 7] HTTP Proxy of Exchange Servers"
+                    }
+                  ],
+                  "metadata": {
+                    "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "solution",
+                      "name": "Microsoft Exchange Security - Exchange On-Premises"
+                    },
+                    "support": {
+                      "name": "Community",
+                      "tier": "Community",
+                      "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                    },
+                    "author": {
+                      "name": "Microsoft"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+                "contentId": "[variables('_dataConnectorContentId8')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion8')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId8')]",
+        "contentKind": "DataConnector",
+        "displayName": "Microsoft Exchange HTTP Proxy Logs",
+        "contentProductId": "[variables('_dataConnectorcontentProductId8')]",
+        "id": "[variables('_dataConnectorcontentProductId8')]",
+        "version": "[variables('dataConnectorVersion8')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId8')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+        "contentId": "[variables('_dataConnectorContentId8')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion8')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Microsoft Exchange HTTP Proxy Logs",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Exchange HTTPProxy logs",
+              "baseQuery": "ExchangeHttpProxy_CL"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "ExchangeHttpProxy_CL",
+              "lastDataReceivedQuery": "ExchangeHttpProxy_CL  | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "ExchangeHttpProxy_CL  | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "All Audit logs",
+              "query": "ExchangeHttpProxy_CL | sort by TimeGenerated"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "name": "Azure Log Analytics will be deprecated",
+                "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "name": "Detailled documentation",
+                "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki."
+            },
+            {
+              "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Deploy Monitor Agents",
+                        "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "1.  Download and install the agents needed to collect logs for Microsoft Sentinel"
+            },
+            {
+              "description": "Select how to stream HTTP Proxy of Exchange Servers",
+              "instructions": [
+                {
+                  "parameters": {
+                    "instructionSteps": [
+                      {
+                        "title": "Data Collection Rules - When Azure Monitor Agent is used",
+                        "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "instructionSteps": [
+                                {
+                                  "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)",
+                                  "description": "Use this method for automated deployment of the DCE and DCR.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5.  Click **Create** to deploy."
+                                          },
+                                          {
+                                            "title": "B. Deploy Data Connection Rule",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4.  Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5.  Click **Purchase** to deploy."
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Option 2 - Manual Deployment of Azure Automation",
+                                  "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+                                  "instructions": [
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "Create Custom Table - Explanation",
+                                            "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+                                          },
+                                          {
+                                            "title": "Create Custom Table using an ARM Template",
+                                            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3.  Click **Create** to deploy."
+                                          },
+                                          {
+                                            "title": "Create Custom Table using PowerShell in Cloud Shell",
+                                            "description": "1.  From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3.  Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4.  Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    },
+                                    {
+                                      "parameters": {
+                                        "instructionSteps": [
+                                          {
+                                            "title": "A. Create DCE (If not already created for Exchange Servers)",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+                                          },
+                                          {
+                                            "title": "B. Create a DCR, Type Custom log",
+                                            "description": "1.  From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime  | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR"
+                                          }
+                                        ]
+                                      },
+                                      "type": "InstructionStepsGroup"
+                                    }
+                                  ]
+                                },
+                                {
+                                  "title": "Assign the DCR to all Exchange Servers",
+                                  "description": "Add all your Exchange Servers to the DCR"
+                                }
+                              ]
+                            },
+                            "type": "InstructionStepsGroup"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ],
+              "title": "2. [Option 7] HTTP Proxy of Exchange Servers"
+            }
+          ],
+          "id": "[variables('_uiConfigId8')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserObject1').parserTemplateSpecName1]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ExchangeAdminAuditLogs Data Parser with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('parserObject1').parserVersion1]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[variables('parserObject1')._parserName1]",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Parser for ExchangeAdminAuditLogs",
+                "category": "Microsoft Sentinel Parser",
+                "functionAlias": "ExchangeAdminAuditLogs",
+                "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n    let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n        \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n    let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n    let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n    let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n    let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n    let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n    let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n    let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n    let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n    union isfuzzy=true withsource=TableName \n        SearchUserDisplayName, \n        SearchUserUPN, \n        SearchUserCanonicalName, \n        SearchUserSAMAccountName,\n        SearchUserObjectSID,\n        SearchUserObjectGUID,\n        SearchUserDistinguishedName\n    };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n    | where EventLog == 'MSExchange Management'\n    | where EventID in (1,6) // 1 = Success, 6 = Failure\n    | parse ParameterXml with '<Param>' CmdletName '</Param><Param>' CmdletParameters '</Param><Param>' Caller '</Param><Param>' *\n    | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n    | extend Status = case( EventID == 1, 'Success', 'Failure')\n    | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n    | extend IsVIP = iif(SearchKey == \"\", false, true)\n    | join kind=leftouter  ( \n        MESCheckVIP() ) on SearchKey\n    | extend CmdletNameJoin = tolower(CmdletName)\n    | join kind=leftouter  ( \n        CmdletCheck\n    | extend CmdletNameJoin = tolower(Cmdlet)\n    ) on CmdletNameJoin\n    | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n    | join kind=leftouter  ( \n        Env\n    ) on $left.DomainEnv == $right.DomainFQDN_\n    | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n    | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n    | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n    | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n    | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n    | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n    | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n    | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n",
+                "functionParameters": "",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": ""
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+              "dependsOn": [
+                "[variables('parserObject1')._parserId1]"
+              ],
+              "properties": {
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
+                "contentId": "[variables('parserObject1').parserContentId1]",
+                "kind": "Parser",
+                "version": "[variables('parserObject1').parserVersion1]",
+                "source": {
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "kind": "Solution",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('parserObject1').parserContentId1]",
         "contentKind": "Parser",
         "displayName": "Parser for ExchangeAdminAuditLogs",
         "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.3.0')))]",
@@ -2257,7 +5124,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeConfiguration Data Parser with template version 3.1.5",
+        "description": "ExchangeConfiguration Data Parser with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -2387,7 +5254,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5",
+        "description": "ExchangeEnvironmentList Data Parser with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -2517,7 +5384,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MESCheckVIP Data Parser with template version 3.1.5",
+        "description": "MESCheckVIP Data Parser with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -2638,6 +5505,136 @@
         }
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserObject5').parserTemplateSpecName5]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "MESCompareDataOnPMRA Data Parser with template version 3.3.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('parserObject5').parserVersion5]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[variables('parserObject5')._parserName5]",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+                "category": "Microsoft Sentinel Parser",
+                "functionAlias": "MESCompareDataOnPMRA",
+                "query": "// Version:         1.0.0\n// Last Updated:    30/08/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope, \n    RecipientWriteScope, \n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
+                "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": ""
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
+              "dependsOn": [
+                "[variables('parserObject5')._parserId5]"
+              ],
+              "properties": {
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+                "contentId": "[variables('parserObject5').parserContentId5]",
+                "kind": "Parser",
+                "version": "[variables('parserObject5').parserVersion5]",
+                "source": {
+                  "name": "Microsoft Exchange Security - Exchange On-Premises",
+                  "kind": "Solution",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Community",
+                  "tier": "Community",
+                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('parserObject5').parserContentId5]",
+        "contentKind": "Parser",
+        "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
+        "version": "[variables('parserObject5').parserVersion5]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2022-10-01",
+      "name": "[variables('parserObject5')._parserName5]",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "eTag": "*",
+        "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+        "category": "Microsoft Sentinel Parser",
+        "functionAlias": "MESCompareDataOnPMRA",
+        "query": "// Version:         1.0.0\n// Last Updated:    30/08/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope, \n    RecipientWriteScope, \n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
+        "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": ""
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2022-01-01-preview",
+      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
+      "dependsOn": [
+        "[variables('parserObject5')._parserId5]"
+      ],
+      "properties": {
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+        "contentId": "[variables('parserObject5').parserContentId5]",
+        "kind": "Parser",
+        "version": "[variables('parserObject5').parserVersion5]",
+        "source": {
+          "kind": "Solution",
+          "name": "Microsoft Exchange Security - Exchange On-Premises",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Community",
+          "tier": "Community",
+          "link": "https://github.com/Azure/Azure-Sentinel/issues"
+        }
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -2647,7 +5644,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -2738,7 +5735,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -2829,7 +5826,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Admin Activity Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Admin Activity Workbook with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -2920,7 +5917,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Security Review Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Security Review Workbook with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion4')]",
@@ -2938,7 +5935,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook4-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section display the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : <a href=\\\" https://docs.microsoft.com/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\\\" target=\\\"_blank\\\">Exchange Build Numbers</a>\\r\\n\\r\\nThis section is built from a file located in the public github repository.\\r\\nThe repository is manually updated by the team project  when new CU/SU are released.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend  Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\",  VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend  Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com /exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Admin Audit Log </a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/admin-audit-logging/manage-admin-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Manage Admin Audit Log </a>\\r\\n\\r\\n\\r\\nThis can be used to track \\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case(  isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\"},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110.  Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110  must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those who need to actually use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \\\" target=\\\"_blank\\\">Configuring Authentication for POP3 and IMAP4</a>\\r\\n \\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997154(v=exchg.160).aspx\\\" target=\\\"_blank\\\"> Set-PopSettings</a>\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1  -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location :    - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status =  tostring(Status)\\r\\n| extend BackendEndService=  tostring(ServiceName1)\\r\\n| extend StartupType =  tostring(StartupType)\\r\\n| extend BEStatus =  tostring(Status1)\\r\\n| extend BEStartupType =  tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110.  User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \\\" target=\\\"_blank\\\">Configuring Authentication for POP3 and IMAP4</a>\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa998252(v=exchg.160).aspx\\\" target=\\\"_blank\\\"> Set-IMAPSettings</a>\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1  -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location :  Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status =  tostring(Status)\\r\\n| extend BackendEndService=  tostring(ServiceName1)\\r\\n| extend StartupType =  tostring(StartupType)\\r\\n| extend BEStatus =  tostring(Status1)\\r\\n| extend BEStartupType =  tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication  : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the Generic All permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\"> Exchange 2013 deployment permissions reference</a>\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true  },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\",  \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name =  tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account =  tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content  - Direct delegations are not listed -  Example : <br>\\r\\n- Permissions Full Access  \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n//| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and  CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"Export\\\" or CmdletResultValue.Role.Name contains \\\"Impersonation\\\" or (CmdletResultValue.Role.Name contains \\\"Search\\\" and CmdletResultValue.Role.Name !contains \\\"MailboxSearchApplication\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Application Impersonation</a>\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\n\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all  mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export**  is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mailbox-import-export-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Mailbox Import Export</a>\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and  alert when the group modified\\r\\n- add administrators in this group only for a short period of time.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nExchange Online-ApplicationAccount\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mailbox-search-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Mailbox Search</a>\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs  Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These are delegations at the database level.\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/bb123879(v=exchg.80).aspx\\\" target=\\\"_blank\\\">Help for Receive As Permission</a>\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/ library/bb123879(v=exchg.80).aspx\\\" target=\\\"_blank\\\">Help for Send As Permission</a>\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs/SendAs database delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account,DatabaseName\\r\\n| project Account,Count,DatabaseName\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account, DatabaseName\\r\\n| project Account, Count, DatabaseName\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"noDataMessage\":\"No Send-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]}},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseSendAsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information  but with differents sorting, displays...\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review  the content of the local Administrators group on a regular basis.\\r\\n\\r\\nIt is considered a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for all servers\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Number of servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\\r\\n- **inconsistent memebrs** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project  Parentgroup = strcat(\\\"💻  \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away  CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away  CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\">Exchange 2013 deployment permissions reference</a>\\r\\n\\r\\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\">Exchange 2013 deployment permissions reference</a>\\r\\n\\r\\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project   Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project   Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\\\" target=\\\"_blank\\\">Help for Built-in role groups</a>\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or  CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand details on the content of old groups\",\"expandable\":true,\"expanded\":false,\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or  CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content  groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n    | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\")  or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| mv-expand CmdletResultValue.Members\\r\\n| where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n| project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| union OldVGroupEES,OldVGroupEDS\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| where CmdletResultValue.Level != 0\\r\\n//| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n| extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n  - Organization Management\\r\\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n  - Discovery Management\\r\\n  - Server Management\\r\\n  - Hygiene Management\\r\\n  - Exchange Servers\\r\\n  - Exchange Trusted Subsystem  \\r\\n  - Exchange Windows Permissions\\r\\n  - xxx High privilege group (not an exhaustive list)\\r\\n  - All RBAC groups that have high roles delegation\\r\\n  - All nested groups in high privileges groups\\r\\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\\\" target=\\\"_blank\\\">Help for Built-in role groups</a>\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in  (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays differents security configuration for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\")  by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector  | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019\\\" target=\\\"_blank\\\">Allow anonymous relay on Exchange server</a>\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter  ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019\\\" target=\\\"_blank\\\">Allow anonymous relay on Exchange server</a>\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Security Transport  Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n     All Receive Connectors with Anonymous (No)\\r\\n     All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules?view=exchserver-2019\\\" target=\\\"_blank\\\">Mail flow rules in Exchange Serve</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n| sort  by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling in Exchange Server</a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling procedures</a>\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Mailbox audit logging in Exchange Server</a>\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"Enabled\\\" or tostring(CmdletResultValue.Enabled)== \\\"1\\\" , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient)\\r\\n| sort  by Identity asc\\r\\n| sort  by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling in Exchange Server</a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling procedures</a>\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Mailbox audit logging in Exchange Server</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/remote-domains-exchange-2013-help\\\" target=\\\"_blank\\\">Remote Domains</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019\\\" target=\\\"_blank\\\">Accepted domains</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address =  \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType =  case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cfc36178-c5d7-4f69-87f5-b887e722f968\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"label\":\"CompareCollect\",\"type\":10,\"description\":\"If this sesstion is checked, two collection will be compared\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a7e59b0-755e-40c9-a4e0-ec7f516e991c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"This date must be older than the date configured in the Date of configuration\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"TimeRange - Copy\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"**\\r\\n\\r\\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\\r\\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n  - Date\\r\\n  - When a fied is modified several times in the range, only first and last values will be displayed\\r\\n  - **Remove Time is displayed the date of the last collect and not the exact remove time**\\r\\n  - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\\r\\nFor more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality may not be available for all sections in this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange Environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section displays the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : <a href=\\\" https://docs.microsoft.com/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\\\" target=\\\"_blank\\\">Exchange Build Numbers</a>\\r\\n\\r\\nThis section is built from a file located in the public GitHub repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend  Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\",  VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend  Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com /exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Admin Audit Log </a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/admin-audit-logging/manage-admin-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Manage Admin Audit Log </a>\\r\\n\\r\\n\\r\\nThis can be used to track :\\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. \\r\\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case(  isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet _CurrentDateB =  datetime_add('day', 1, todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n    | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n    | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n    | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n    | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n    | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n    | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n    | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n    | project-away CmdletResultValue\\r\\n    | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n    | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n    | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n    | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n    | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n    | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n    | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n    | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n    | project-away CmdletResultValue\\r\\n    | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union AfterData, BeforeData\\r\\n    | sort by WhenChanged asc \\r\\n    | project\\r\\n        WhenChanged,\\r\\n        AdminAuditLogAgeLimit,\\r\\n        AdminAuditLogCmdlets,\\r\\n        Comment_AdminAuditLogCmdlets,\\r\\n        AdminAuditLogExcludedCmdlets,\\r\\n        Comment_AdminAuditLogExcludedCmdlet,\\r\\n        WhenCreated\\r\\n    | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogAgeLimit, \\\" (\\\", prev(AdminAuditLogAgeLimit), \\\"->\\\", AdminAuditLogAgeLimit, \\\" )\\\"), AdminAuditLogAgeLimit)\\r\\n    | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogCmdlets, \\\" (\\\", prev(AdminAuditLogCmdlets), \\\"->\\\", AdminAuditLogCmdlets, \\\" )\\\"), AdminAuditLogCmdlets)\\r\\n    | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogCmdlets, \\\" (\\\", prev(Comment_AdminAuditLogCmdlets), \\\"->\\\", Comment_AdminAuditLogCmdlets, \\\" )\\\"), Comment_AdminAuditLogCmdlets)\\r\\n    | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogExcludedCmdlets, \\\" (\\\", prev(AdminAuditLogExcludedCmdlets), \\\"->\\\", AdminAuditLogExcludedCmdlets, \\\" )\\\"), AdminAuditLogExcludedCmdlets)\\r\\n    | extend Comment_AdminAuditLogExcludedCmdlet  = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogExcludedCmdlet, \\\" (\\\", prev(Comment_AdminAuditLogExcludedCmdlet), \\\"->\\\", Comment_AdminAuditLogExcludedCmdlet, \\\" )\\\"), Comment_AdminAuditLogExcludedCmdlet)\\r\\n    | extend ActiontypeR =iff(( AdminAuditLogAgeLimit  contains \\\"📍\\\" or AdminAuditLogCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogCmdlets contains \\\"📍\\\" or AdminAuditLogExcludedCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogExcludedCmdlet contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        AdminAuditLogAgeLimit,\\r\\n        AdminAuditLogCmdlets,\\r\\n        Comment_AdminAuditLogCmdlets,\\r\\n        AdminAuditLogExcludedCmdlets,\\r\\n        Comment_AdminAuditLogExcludedCmdlet,\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    AdminAuditLogAgeLimit,\\r\\n    AdminAuditLogCmdlets,\\r\\n    Comment_AdminAuditLogCmdlets,\\r\\n    AdminAuditLogExcludedCmdlets,\\r\\n    Comment_AdminAuditLogExcludedCmdlet\",\"size\":1,\"showAnalytics\":true,\"title\":\"AdminAuditLog settings comparaison\",\"noDataMessage\":\"No modification\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 3\"}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110.  Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110  must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those which really need to use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \\\" target=\\\"_blank\\\">Configuring Authentication for POP3 and IMAP4</a>\\r\\n \\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997154(v=exchg.160).aspx\\\" target=\\\"_blank\\\"> Set-PopSettings</a>\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1  -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location :    - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status =  tostring(Status)\\r\\n| extend BackendEndService=  tostring(ServiceName1)\\r\\n| extend StartupType =  tostring(StartupType)\\r\\n| extend BEStatus =  tostring(Status1)\\r\\n| extend BEStartupType =  tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"POP settings comparaison\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB =  datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n    | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n    | extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n    | extend Status =  tostring(Status)\\r\\n    | extend BackendEndService=  tostring(ServiceName1)\\r\\n    | extend StartupType =  tostring(StartupType)\\r\\n    | extend BEStatus =  tostring(Status1)\\r\\n    | extend BEStartupType =  tostring(StartupType1)\\r\\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n    | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n    | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n    | extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n    | extend Status =  tostring(Status)\\r\\n    | extend BackendEndService=  tostring(ServiceName1)\\r\\n    | extend StartupType =  tostring(StartupType)\\r\\n    | extend BEStatus =  tostring(Status1)\\r\\n    | extend BEStartupType =  tostring(StartupType1)\\r\\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n    | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by ServerName,TimeGenerated asc\\r\\n    | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n    | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n    | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n    | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n    | extend BEStatus  = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n    | extend BEStartupType  = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n    | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        TimeGenerated,\\r\\n        Actiontype,\\r\\n        ServerName,\\r\\n        LoginType,\\r\\n        ProtocolLogEnabled,\\r\\n        Status,\\r\\n        StartupType,\\r\\n        BEStatus,\\r\\n        BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    ServerName,\\r\\n    LoginType,\\r\\n    ProtocolLogEnabled,\\r\\n    Status,\\r\\n    StartupType,\\r\\n    BEStatus, \\r\\n    BEStartupType\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare\"}]},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110.  User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \\\" target=\\\"_blank\\\">Configuring Authentication for POP3 and IMAP4</a>\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/aa998252(v=exchg.160).aspx\\\" target=\\\"_blank\\\"> Set-IMAPSettings</a>\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1  -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location :  Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status =  tostring(Status)\\r\\n| extend BackendEndService=  tostring(ServiceName1)\\r\\n| extend StartupType =  tostring(StartupType)\\r\\n| extend BEStatus =  tostring(Status1)\\r\\n| extend BEStartupType =  tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication  : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB =  datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n    | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n    | extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n    | extend Status =  tostring(Status)\\r\\n    | extend BackendEndService=  tostring(ServiceName1)\\r\\n    | extend StartupType =  tostring(StartupType)\\r\\n    | extend BEStatus =  tostring(Status1)\\r\\n    | extend BEStartupType =  tostring(StartupType1)\\r\\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n    | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n    | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\\r\\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n    | extend ServiceName =  iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n    | extend Status =  tostring(Status)\\r\\n    | extend BackendEndService=  tostring(ServiceName1)\\r\\n    | extend StartupType =  tostring(StartupType)\\r\\n    | extend BEStatus =  tostring(Status1)\\r\\n    | extend BEStartupType =  tostring(StartupType1)\\r\\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n    | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by ServerName,TimeGenerated asc\\r\\n    | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n    | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n    | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n    | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n    | extend BEStatus  = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n    | extend BEStartupType  = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n    | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        Actiontype,\\r\\n        ServerName,\\r\\n        LoginType,\\r\\n        ProtocolLogEnabled,\\r\\n        Status,\\r\\n        StartupType,\\r\\n        BEStatus,\\r\\n        BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    ServerName,\\r\\n    LoginType,\\r\\n    ProtocolLogEnabled,\\r\\n    Status,\\r\\n    StartupType,\\r\\n    BEStatus, \\r\\n    BEStartupType\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP settings comparaison\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \\r\\nAlso Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the **Generic All** permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\"> Exchange 2013 deployment permissions reference</a>\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true  },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\",  \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name =  tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account =  tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\", \\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\", \\\"Organization Management\\\", \\\"Public Folder Management\\\", \\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\", \\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B119E5', Target = \\\"On-Premises\\\")\\r\\n    | summarize make_list(CmdletResultValue.Name);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"PartConfPerm\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n    | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend Account =  tostring(CmdletResultValue.UserString )\\r\\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\\r\\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n    | project-away CmdletResultValue\\r\\n    | sort by Name,Account  desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join kind = innerunique     (allDataRange) on AllInfo   \\r\\n    | distinct \\r\\n         Name, \\r\\n         Account, \\r\\n         AccessRights, \\r\\n         ExtendedRights, \\r\\n         InheritanceType, \\r\\n         DN,\\r\\n         AllInfo\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n    | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend Account =  tostring(CmdletResultValue.UserString )\\r\\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\\r\\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n    | project-away CmdletResultValue\\r\\n    | sort by Name,Account  desc\\r\\n    ;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n    | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend Account =  tostring(CmdletResultValue.UserString )\\r\\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\\r\\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n    | project-away CmdletResultValue\\r\\n    | sort by Name,Account desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n    | join kind = leftanti  (AfterData) on AllInfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n    | join kind = innerunique    (BeforeData) on AllInfo\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n    | join kind = leftanti    (InBeforedatabotAfter) on AllInfo\\r\\n    | extend Actiontype =\\\"Add/Remove\\\"\\r\\n    | project         \\r\\n        Actiontype,\\r\\n        Name, \\r\\n        Account, \\r\\n        AccessRights, \\r\\n        ExtendedRights, \\r\\n        InheritanceType, \\r\\n        DN \\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on AllInfo\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,\\r\\n    Name, \\r\\n    Account, \\r\\n    AccessRights, \\r\\n    ExtendedRights, \\r\\n    InheritanceType, \\r\\n    DN \",\"size\":1,\"showAnalytics\":true,\"title\":\"Compare NonStandard Permissions for Exchange Container in the Configuration Partition\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy - Copy\"}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content  - Direct delegations are not listed -  Example : <br>\\r\\n- Permissions Full Access  \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" or CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" or (CmdletResultValue.Role.Name == \\\"Mailbox Search\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Hygiene Management group as it is a default delegation\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Application Impersonation</a>\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all  mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export**  is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mailbox-import-export-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Mailbox Import Export</a>\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- Create an empty group with this delegation\\r\\n- Monitor the group content and  alert when the group content  is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"export\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Delegation for the account Exchange Online-Application\\r\\n- Delegation for the group Discovery Management \\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mailbox-search-role-exchange-2013-help\\\" target=\\\"_blank\\\">Help for the role Mailbox Search</a>\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- Temporarily add the administrators in the Discovery Management group\\r\\n- Monitor the group content and alert when the group is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Search\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Search\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs  Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These sections display delegations at the database level (the database Object, not the container) ..\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/library/bb123879(v=exchg.80).aspx\\\" target=\\\"_blank\\\">Help for Receive As Permission</a>\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\\r\\nChange the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\n<a href=\\\"https://technet.microsoft.com/ library/bb123879(v=exchg.80).aspx\\\" target=\\\"_blank\\\">Help for Send As Permission</a>\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\\r\\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \\r\\nChange the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"eb0af112-df51-47f5-8849-b3ee764fa72d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IsInherited\",\"label\":\"Included Inherited deleg\",\"type\":10,\"description\":\"Yes Show all the delegations (Databases object and Database Containers), No only databases objects\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"false\\\", \\\"label\\\": \\\"No\\\" , \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"true, false\\\", \\\"label\\\": \\\"Yes\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"true, false\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Databases with ReceiveAs/SendAs delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"}}},\"customWidth\":\"50\",\"name\":\"SendAs Extended Right on databases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"MailboxDatabaseReceiveAs\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n        | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n    | extend Account = tostring(CmdletResultValue.UserString)\\r\\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n    | extend Allinfo = strcat(Account,DatabaseName)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join kind = innerunique     (allDataRange) on Allinfo   \\r\\n    | distinct \\r\\n    Account,\\r\\n    DatabaseName,\\r\\n    IsInherited,\\r\\n    Allinfo\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n    | extend Account = tostring(CmdletResultValue.UserString)\\r\\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n    | extend Allinfo = strcat(Account,DatabaseName)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Account\\r\\n    ;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n        | project CmdletResultValue\\r\\n        | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n        | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n        | extend Account = tostring(CmdletResultValue.UserString)\\r\\n        | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n        | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n        | extend Allinfo = strcat(Account,DatabaseName)\\r\\n        | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n        | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n    | join kind = leftanti  (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n    | join kind = innerunique    (BeforeData) on Allinfo\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\\r\\n    | extend Actiontype =\\\"Add/Remove\\\"\\r\\n    | project         \\r\\n        Actiontype,\\r\\n        Account,\\r\\n        DatabaseName,\\r\\n        IsInherited,\\r\\n        Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Allinfo\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,\\r\\n    Account,\\r\\n    DatabaseName,\\r\\n    IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison ReceiveAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"MailboxDatabaseSendAs\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n    | extend Account = tostring(CmdletResultValue.UserString)\\r\\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n    | extend Allinfo = strcat(Account,DatabaseName)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join kind = innerunique     (allDataRange) on Allinfo   \\r\\n    | distinct \\r\\n    Account,\\r\\n    DatabaseName,\\r\\n    IsInherited,\\r\\n    Allinfo\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n    | extend Account = tostring(CmdletResultValue.UserString)\\r\\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n    | extend Allinfo = strcat(Account,DatabaseName)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Account\\r\\n    ;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\\r\\n    | extend Account = tostring(CmdletResultValue.UserString)\\r\\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n    | extend Allinfo = strcat(Account,DatabaseName)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n    | join kind = leftanti  (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n    | join kind = innerunique    (BeforeData) on Allinfo\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\\r\\n    | extend Actiontype =\\\"Add/Remove\\\"\\r\\n    | project         \\r\\n        Actiontype,\\r\\n        Account,\\r\\n        DatabaseName,\\r\\n        IsInherited,\\r\\n        Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Allinfo\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,\\r\\n    Account,\\r\\n    DatabaseName,\\r\\n    IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison SendAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5 - Copy\"}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information  but with different sorting, views...\\r\\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review  the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\\r\\n\\r\\nIt is considered as a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Yes** : display all content including the default Groups :  Default groups after the installation of Exchange\\r\\n\\r\\n**No** : display only content of non standard Groups\"},\"name\":\"text - 15\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for every servers in the organization\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable during the collect\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Total number of servers in the Organizaton\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\\r\\n- **inconsistent members** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":1,\"content\":{\"json\":\"This tabled shows a comparaison of the content between two dates.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"LocalAdminPerServersHelp - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"590a6eb9-3349-46cd-ace1-cae9aac1f26a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"LocalAminGroup\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join kind = innerunique     (allDataRange) on Allinfo   \\r\\n    | distinct \\r\\n    Parentgroup,\\r\\n    MemberPath, \\r\\n    Level, \\r\\n    ObjectClass, \\r\\n    LastLogon, \\r\\n    LastPwdSet, \\r\\n    Enabled, \\r\\n    DN,\\r\\n    Allinfo\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n    ;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n    | join kind = leftanti  (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n    | join kind = innerunique    (BeforeData) on Allinfo\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\\r\\n    | extend Actiontype =\\\"Add/Remove\\\"\\r\\n    | project         \\r\\n        Actiontype,\\r\\n        Parentgroup,\\r\\n        MemberPath, \\r\\n        Level, \\r\\n        ObjectClass, \\r\\n        LastLogon, \\r\\n        LastPwdSet, \\r\\n        Enabled, \\r\\n        DN\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Allinfo\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,\\r\\n    Parentgroup, \\r\\n    MemberPath, \\r\\n    Level, \\r\\n    ObjectClass, \\r\\n    LastLogon,  \\r\\n    LastPwdSet, \\r\\n    Enabled, \\r\\n    DN\\r\\n| where Parentgroup contains \\\"{Server}\\\"\",\"size\":3,\"showAnalytics\":true,\"title\":\"To view the comparaison for one specific server, select a server in the dropdown list\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project  Parentgroup = strcat(\\\"💻  \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total per server of Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away  CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary for all servers\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away  CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\">Exchange 2013 deployment permissions reference</a>\\r\\n\\r\\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\\\" target=\\\"_blank\\\">Exchange 2013 deployment permissions reference</a>\\r\\n\\r\\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project   Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project   Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from the old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\\\" target=\\\"_blank\\\">Help for Built-in role groups</a>\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"If still exist, this section showed a summary of the content of old groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or  CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand this section to details on the content of the old groups\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or  CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content  groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n    | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\")  or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | mv-expand CmdletResultValue.Members\\r\\n    | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n    | project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n    | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | union OldVGroupEES,OldVGroupEDS\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n    | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n    | sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n    | where CmdletResultValue.Level != 0\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Selected group content\",\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeDataEES=\\r\\n    (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | mv-expand CmdletResultValue.Members\\r\\n    | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n    | project\\r\\n        Parentgroup,\\r\\n        MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n        Level = tostring(1),\\r\\n        ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n        DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n        ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n    | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n        | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n        | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n        | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n        on ObjectGuid); \\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n    | union BeforeDataEES, BeforeDataEDS\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterDataEES=\\r\\n    (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | mv-expand CmdletResultValue.Members\\r\\n    | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n    | project\\r\\n        Parentgroup,\\r\\n        MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n        Level = tostring(1),\\r\\n        ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n        DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n        ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n    | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n        | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n        | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n        | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n        on ObjectGuid); \\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | union AfterDataEES, AfterDataEDS\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"ExGroup\\\" or Section_s == \\\"ADGroup\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\", \\\"Exchange Enterprise Servers\\\" , \\\"Exchange Services\\\")\\r\\n    //| where CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\"\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    ;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join  kind = innerunique     (allDataRange) on MemberPath   \\r\\n    | distinct \\r\\n        TimeGenerated,\\r\\n        Parentgroup,\\r\\n        MemberPath,\\r\\n        Level,\\r\\n        ObjectClass,\\r\\n        LastLogon,\\r\\n        LastPwdSet,\\r\\n        Enabled\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n  | join kind = leftanti  (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique    (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on MemberPath\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| where MemberPath <> \\\"Exchange Enterprise Servers\\\\\\\\Exchange Domain Servers\\\"\\r\\n| project\\r\\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Compare of the contents of selected old group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required permissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n  - Organization Management\\r\\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n  - Discovery Management\\r\\n  - Server Management\\r\\n  - Hygiene Management\\r\\n  - Exchange Servers\\r\\n  - Exchange Trusted Subsystem  \\r\\n  - Exchange Windows Permissions\\r\\n  - xxx High privilege group (not an exhaustive list)\\r\\n  - All RBAC groups that have high roles delegation\\r\\n  - All nested groups in high privileges groups\\r\\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\\\" target=\\\"_blank\\\">Help for Built-in role groups</a>\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in  (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"ExGroup\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    ;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join  kind = innerunique     (allDataRange) on MemberPath   \\r\\n    | distinct \\r\\n        TimeGenerated,\\r\\n        Parentgroup,\\r\\n        MemberPath,\\r\\n        Level,\\r\\n        ObjectClass,\\r\\n        LastLogon,\\r\\n        LastPwdSet,\\r\\n        Enabled\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n  | join kind = leftanti  (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique    (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project         \\r\\n        TimeGenerated,\\r\\n        Parentgroup,\\r\\n        Actiontype,\\r\\n        MemberPath,\\r\\n        Level,\\r\\n        ObjectClass,\\r\\n        LastLogon,\\r\\n        LastPwdSet,\\r\\n        Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on MemberPath\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"title\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 7\"}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where tostring(CmdletResultValue.Parentgroup) != \\\"Exchange Enterprise Servers\\\" and tostring(CmdletResultValue.Parentgroup) <> \\\"Exchange Services\\\"\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n    { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n    { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"ADGroup\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    ;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join  kind = innerunique     (allDataRange) on MemberPath   \\r\\n    | distinct \\r\\n        TimeGenerated,\\r\\n        Parentgroup,\\r\\n        MemberPath,\\r\\n        Level,\\r\\n        ObjectClass,\\r\\n        LastLogon,\\r\\n        LastPwdSet,\\r\\n        Enabled\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n    | extend Level = tostring(CmdletResultValue.Level)\\r\\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n    | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n    | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend DN = tostring(CmdletResultValue.DN)\\r\\n    | sort by MemberPath asc\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n  | join kind = leftanti  (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique    (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project         \\r\\n        TimeGenerated,\\r\\n        Parentgroup,\\r\\n        Actiontype,\\r\\n        MemberPath,\\r\\n        Level,\\r\\n        ObjectClass,\\r\\n        LastLogon,\\r\\n        LastPwdSet,\\r\\n        Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on MemberPath\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 6\"}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays different security configurations for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\")  by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector  | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019\\\" target=\\\"_blank\\\">Allow anonymous relay on Exchange server</a>\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toggle button  helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter  ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project Identity,CmdletResultValue\\r\\n    | extend Identity = tostring(Identity)\\r\\n    | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Server\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Server\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct \\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        Server\\r\\n    | project         \\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        Server\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n    Actiontype,\\r\\n    Permission = \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\",\\r\\n    Identity,\\r\\n    Server\\r\\n| order by Server\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019\\\" target=\\\"_blank\\\">Allow anonymous relay on Exchange server</a>\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n    | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\"\\r\\n    | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n    | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n    | extend RemoteIP= RemoteIPall.Expression\\r\\n    | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n    | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n    | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n    | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n    | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n    | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n    | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n    | extend RemoteIP= RemoteIPall.Expression\\r\\n    | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n    | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n    | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Identity\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Server\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | extend Binding = tostring(Bindings)\\r\\n    | extend RIR = tostring(RemoteIPRange)\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        Bindings = Binding,\\r\\n        RemoteIPRange = RIR,\\r\\n        WhenCreated        \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by WhenChanged asc \\r\\n    | sort by Server, Name asc\\r\\n    | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n    | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n    | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n    | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n    | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n    | extend AuthMechanism  = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n    | extend Bindings  = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n    | extend RemoteIPRange  = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n    | extend ActiontypeR =iff(( Name  contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        tostring=(Bindings),\\r\\n        tostring(RemoteIPRange),\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n        Actiontype,\\r\\n        WhenChanged,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        Bindings = Bindings_string,\\r\\n        RemoteIPRange = RemoteIPRange_string,\\r\\n        WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy\"}]},\"name\":\"Security Transport  Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n     All Receive Connectors with Anonymous (No)\\r\\n     All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort  by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n    | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n    | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n    | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n    | extend RemoteIP= RemoteIPall.Expression\\r\\n    | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n    | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n    | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n    | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n    | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n    | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n    | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n    | extend RemoteIP= RemoteIPall.Expression\\r\\n    | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n    | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n    | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Identity\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | extend Binding = tostring(Bindings)\\r\\n    | extend RIR = tostring(RemoteIPRange)\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        Bindings = Binding,\\r\\n        RemoteIPRange = RIR,\\r\\n        WhenCreated        \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by WhenChanged asc \\r\\n    | sort by Server, Name asc\\r\\n    | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n    | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n    | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n    | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n    | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n    | extend AuthMechanism  = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n    | extend Bindings  = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n    | extend RemoteIPRange  = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n    | extend ActiontypeR =iff(( Name  contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        Bindings,\\r\\n        RemoteIPRange,\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n        Actiontype,\\r\\n        WhenChanged,\\r\\n        Server,\\r\\n        Name,\\r\\n        TransportRole,\\r\\n        Enabled,\\r\\n        PermissionGroups,\\r\\n        AuthMechanism,\\r\\n        Bindings = Bindings_string,\\r\\n        RemoteIPRange = RemoteIPRange_string,\\r\\n        WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy\"}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules?view=exchserver-2019\\\" target=\\\"_blank\\\">Mail flow rules in Exchange Server</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n| sort  by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n| sort  by Status desc\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue, TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n| sort  by Status desc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Identity\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        TimeGenerated,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        Status,\\r\\n        SentTo,\\r\\n        BlindCopyTo,\\r\\n        CopyTo,\\r\\n        RedirectMessageTo,\\r\\n        Mode\\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by Identity, TimeGenerated asc\\r\\n    | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\\\"📍 \\\", Status, \\\" (\\\", iff(prev(Status)==\\\"\\\",\\\"Null\\\",prev(Status)), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n    | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", SentTo, \\\" (\\\", iff(prev(SentTo)==\\\"\\\",\\\"Null\\\",prev(SentTo)), \\\"->\\\", SentTo, \\\" )\\\"), SentTo)\\r\\n    | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\", iff(prev(BlindCopyTo)==\\\"\\\",\\\"Null\\\",prev(BlindCopyTo)), \\\"->\\\", BlindCopyTo, \\\" )\\\"), BlindCopyTo)\\r\\n    | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", CopyTo, \\\" (\\\", iff(prev(CopyTo)==\\\"\\\",\\\"Null\\\",prev(CopyTo)), \\\"->\\\", CopyTo, \\\" )\\\"), CopyTo)\\r\\n    | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", RedirectMessageTo, \\\" (\\\", iff(prev(RedirectMessageTo)==\\\"\\\",\\\"Null\\\",prev(RedirectMessageTo)), \\\"->\\\", RedirectMessageTo, \\\" )\\\"), RedirectMessageTo)\\r\\n    | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\\\"📍 \\\", Mode, \\\" (\\\", iff(prev(Mode)==\\\"\\\",\\\"Null\\\",prev(Mode)), \\\"->\\\", Mode, \\\" )\\\"), Mode)\\r\\n    | extend ActiontypeR =iff(( Identity  contains \\\"📍\\\" or Status contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or RedirectMessageTo contains \\\"📍\\\" or Mode contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        TimeGenerated,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        Status,\\r\\n        SentTo,\\r\\n        BlindCopyTo,\\r\\n        CopyTo,\\r\\n        RedirectMessageTo,\\r\\n        Mode\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by TimeGenerated desc \\r\\n| project\\r\\n        TimeGenerated,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        Status,\\r\\n        SentTo,\\r\\n        BlindCopyTo,\\r\\n        CopyTo,\\r\\n        RedirectMessageTo,\\r\\n        Mode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling in Exchange Server</a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling procedures</a>\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Mailbox audit logging in Exchange Server</a>\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"true\\\"  , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n| sort  by Name asc\\r\\n| sort  by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n    ESIExchangeConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where Section_s == \\\"JournalRule\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n    | project CmdletResultValue, TimeGenerated\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Name asc\\r\\n    | sort by Status desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n    | join kind = innerunique     (allDataRange) on Allinfo   \\r\\n    | distinct \\r\\n        TimeGenerated,\\r\\n        Name,\\r\\n        Status,\\r\\n        JournalEmailAddress,\\r\\n        Recipient,\\r\\n        Allinfo\\r\\n;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Name asc\\r\\n    | sort by Status desc\\r\\n    ;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n      | project CmdletResultValue\\r\\n    | extend Name = tostring(CmdletResultValue.Name)\\r\\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n    | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n    | sort by Name asc\\r\\n    | sort by Status desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n    | join kind = leftanti  (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n    | join kind = innerunique    (BeforeData) on Allinfo\\r\\n    | extend Actiontype = iff (Name != \\\"\\\", \\\"Remove\\\", \\\"\\\")\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\\r\\n    | extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Allinfo\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| where Name <> \\\"\\\"\\r\\n| project\\r\\n    Actiontype,\\r\\n    Name,\\r\\n    Status,\\r\\n    JournalEmailAddress,\\r\\n    Recipient\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling in Exchange Server</a>\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\\\" target=\\\"_blank\\\">Journaling procedures</a>\\r\\n\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\\\" target=\\\"_blank\\\">Mailbox audit logging in Exchange Server</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Identity =  tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient =  tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc \\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n    | extend Identity =  tostring(CmdletResultValue.Identity.Name)\\r\\n    | extend JournalRecipient =  tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n    | project-away CmdletResultValue\\r\\n    | sort  by Identity asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Identity\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        JournalRecipient,\\r\\n        WhenCreated        \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by Identity, WhenChanged asc\\r\\n    | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\\\"📍 \\\", JournalRecipient, \\\" (\\\", iff(prev(JournalRecipient)==\\\"\\\",\\\"Null\\\",prev(JournalRecipient)), \\\"->\\\", JournalRecipient, \\\" )\\\"), JournalRecipient)\\r\\n    | extend ActiontypeR =iff(( Identity  contains \\\"📍\\\" or JournalRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        JournalRecipient,\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        JournalRecipient,\\r\\n        WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/remote-domains-exchange-2013-help\\\" target=\\\"_blank\\\">Remote Domains</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n    | extend Name =  tostring(CmdletResultValue.Name)\\r\\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n    | extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n    | project-away CmdletResultValue\\r\\n    | sort  by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Name\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Name\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Name,\\r\\n        Address,\\r\\n        AutoForwardEnabled,\\r\\n        WhenCreated        \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n    | sort by WhenChanged asc \\r\\n    | sort by Name asc\\r\\n    //| extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n    | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n    | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\", prev(AutoForwardEnabled), \\\"->\\\", AutoForwardEnabled, \\\" )\\\"), AutoForwardEnabled)\\r\\n    | extend ActiontypeR =iff(( Name  contains \\\"📍\\\" or Address contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Name,\\r\\n        Address,\\r\\n        AutoForwardEnabled,\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Name,\\r\\n        Address,\\r\\n        AutoForwardEnabled,\\r\\n        WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\n<a href=\\\"https://learn.microsoft.com/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019\\\" target=\\\"_blank\\\">Accepted domains</a>\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address =  \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType =  case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n    //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n    | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n    | extend Name =  tostring(CmdletResultValue.Name)\\r\\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n    | extend DomainType =  case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n    | project-away CmdletResultValue\\r\\n    | sort by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n    | extend Name =  tostring(CmdletResultValue.Name)\\r\\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\\r\\n    | extend DomainType =  case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n    | project-away CmdletResultValue\\r\\n    | sort by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n    | join kind = rightanti  (AfterData)\\r\\n        on Name\\r\\n    | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n    | join kind = leftanti AfterData on Name\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Name,\\r\\n        Address,\\r\\n        DomainType,\\r\\n        WhenCreated        \\r\\n;\\r\\nlet DiffModifData = union BeforeData, AfterData\\r\\n    | sort by WhenChanged asc \\r\\n    | sort by Name asc\\r\\n    // | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\", strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n    | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n    | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", DomainType, \\\" (\\\", prev(DomainType), \\\"->\\\", DomainType, \\\" )\\\"), DomainType)\\r\\n    | extend ActiontypeR =iff((Name contains \\\"📍\\\" or Address contains \\\"📍\\\" or DomainType contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Name,\\r\\n        Address,\\r\\n        DomainType,\\r\\n        WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Name,\\r\\n    Address,\\r\\n    DomainType,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"ForwardGroup\"}]},\"name\":\"Journal Rules\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -2949,7 +5946,7 @@
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description",
+                "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description",
                 "parentId": "[variables('workbookId4')]",
                 "contentId": "[variables('_workbookContentId4')]",
                 "kind": "Workbook",
@@ -3011,7 +6008,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.1.5",
+        "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3057,54 +6054,54 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Mailbox",
                     "fieldMappings": [
                       {
-                        "identifier": "MailboxPrimaryAddress",
-                        "columnName": "TargetObject"
+                        "columnName": "TargetObject",
+                        "identifier": "MailboxPrimaryAddress"
                       }
-                    ]
+                    ],
+                    "entityType": "Mailbox"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "Computer"
+                        "columnName": "Computer",
+                        "identifier": "FullName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Sid",
-                        "columnName": "TargetObject"
+                        "columnName": "TargetObject",
+                        "identifier": "Sid"
                       },
                       {
-                        "identifier": "ObjectGuid",
-                        "columnName": "TargetObject"
+                        "columnName": "TargetObject",
+                        "identifier": "ObjectGuid"
                       },
                       {
-                        "identifier": "FullName",
-                        "columnName": "TargetObject"
+                        "columnName": "TargetObject",
+                        "identifier": "FullName"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Caller"
+                        "columnName": "Caller",
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ],
                 "alertDetailsOverride": {
-                  "alertSeverityColumnName": "Level",
                   "alertDisplayNameFormat": "{{CmdletName}} executed on {{TargetObject}}",
-                  "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}"
+                  "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}",
+                  "alertSeverityColumnName": "Level"
                 }
               }
             },
@@ -3158,7 +6155,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.1.5",
+        "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.3.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3204,48 +6201,48 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Mailbox",
                     "fieldMappings": [
                       {
-                        "identifier": "MailboxPrimaryAddress",
-                        "columnName": "userPrincipalName"
+                        "columnName": "userPrincipalName",
+                        "identifier": "MailboxPrimaryAddress"
                       },
                       {
-                        "identifier": "Upn",
-                        "columnName": "userPrincipalName"
+                        "columnName": "userPrincipalName",
+                        "identifier": "Upn"
                       }
-                    ]
+                    ],
+                    "entityType": "Mailbox"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "Computer"
+                        "columnName": "Computer",
+                        "identifier": "FullName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "ServerCmdletTargetObject"
+                        "columnName": "ServerCmdletTargetObject",
+                        "identifier": "HostName"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Caller"
+                        "columnName": "Caller",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "ObjectGuid",
-                        "columnName": "objectGUID"
+                        "columnName": "objectGUID",
+                        "identifier": "ObjectGuid"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -3332,12 +6329,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.1.5",
+        "version": "3.3.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Microsoft Exchange Security - Exchange On-Premises",
         "publisherDisplayName": "Community",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events\">Windows Event logs collection, including MS Exchange Management Event logs</a></p>\n</li>\n<li><p><a href=\"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell\">Custom logs ingestion via Data Collector REST API</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 4, <strong>Workbooks:</strong> 4, <strong>Analytic Rules:</strong> 2, <strong>Watchlists:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events\">Windows Event logs collection, including MS Exchange Management Event logs</a></p>\n</li>\n<li><p><a href=\"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell\">Custom logs ingestion via Data Collector REST API</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 8, <strong>Parsers:</strong> 5, <strong>Workbooks:</strong> 4, <strong>Analytic Rules:</strong> 2, <strong>Watchlists:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -3371,6 +6368,36 @@
               "contentId": "[variables('_dataConnectorContentId2')]",
               "version": "[variables('dataConnectorVersion2')]"
             },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId3')]",
+              "version": "[variables('dataConnectorVersion3')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId4')]",
+              "version": "[variables('dataConnectorVersion4')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId5')]",
+              "version": "[variables('dataConnectorVersion5')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId6')]",
+              "version": "[variables('dataConnectorVersion6')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId7')]",
+              "version": "[variables('dataConnectorVersion7')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId8')]",
+              "version": "[variables('dataConnectorVersion8')]"
+            },
             {
               "kind": "Parser",
               "contentId": "[variables('parserObject1').parserContentId1]",
@@ -3391,6 +6418,11 @@
               "contentId": "[variables('parserObject4').parserContentId4]",
               "version": "[variables('parserObject4').parserVersion4]"
             },
+            {
+              "kind": "Parser",
+              "contentId": "[variables('parserObject5').parserContentId5]",
+              "version": "[variables('parserObject5').parserVersion5]"
+            },
             {
               "kind": "Workbook",
               "contentId": "[variables('_workbookContentId1')]",
@@ -3424,12 +6456,12 @@
             {
               "kind": "Watchlist",
               "contentId": "[variables('_Exchange Services Monitoring')]",
-              "version": "3.1.5"
+              "version": "3.3.0"
             },
             {
               "kind": "Watchlist",
               "contentId": "[variables('_Exchange VIP')]",
-              "version": "3.1.5"
+              "version": "3.3.0"
             }
           ]
         },
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml
new file mode 100644
index 00000000000..33c7525d895
--- /dev/null
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml	
@@ -0,0 +1,183 @@
+id: 0a0f4ea0-6b94-4420-892e-41ca985f2f01
+Function:
+  Title: Parser for MRA Configuration Data Comparison On-Premises
+  Version: '1.0.0'
+  LastUpdated: '2024-08-30'
+Category: Microsoft Sentinel Parser
+FunctionName: MESCompareDataOnPMRA
+FunctionAlias: MESCompareDataOnPMRA
+FunctionParams:
+  - Name: SectionCompare
+    Type: string
+    Description: The Section to compare. Default value is "".
+    Default: ''
+  - Name: DateCompare
+    Type: string
+    Description: The date of the source comparison. Default value is "lastdate".
+    Default: 'lastdate'
+  - Name: CurrentDate
+    Type: string
+    Description: The date of the target comparison. Default value is "lastdate".
+    Default: 'lastdate'
+  - Name: EnvList
+    Type: string
+    Description: List of environments to compare. Default value is "All".
+    Default: 'All'
+  - Name: TypeEnv
+    Type: string
+    Description: Type of environment to compare. Default value is "Online".
+    Default: 'Online'
+  - Name: CurrentRole
+    Type: string
+    Description: A specific role to compare. Default value is "".
+    Default: ''
+  - Name: ExclusionsAcct
+    Type: dynamic
+    Description: List of actors to exclude. Default value is "dynamic('')".
+    Default: dynamic('')
+FunctionQuery: |
+  // Version:         1.0.0
+  // Last Updated:    30/08/2024
+  //  
+  // DESCRIPTION:
+  // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.
+  //
+  // USAGE:
+  // Parameters : 7 parameters to add during creation. 
+  //    1. SectionCompare, type string, default value ""
+  //    2. DateCompare, type string, default value "lastdate"
+  //    3. CurrentDate, type string, default value "lastdate"
+  //    4. EnvList, type string, default value "All"
+  //    5. TypeEnv, type string, default value "Online"
+  //    6. CurrentRole, type string, default value ""
+  //    7. ExclusionsAcct, type dynamic, default value dynamic("")
+  //
+  // Parameters simulation
+  // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.
+  //
+  // let SectionCompare = "SampleEntry";
+  // let EnvList = "All";
+  // let TypeEnv = "Online";
+  // let CurrentRole = "";
+  // let ExclusionsAcct = dynamic("");
+  // let DateCompare = "lastdate";
+  // let CurrentDate = "lastdate";
+  //
+  // Parameters definition
+  let _SectionCompare = SectionCompare;
+  let _EnvList =EnvList;
+  let _TypeEnv = TypeEnv;
+  let _CurrentRole =CurrentRole;
+  let _ExclusionsAcct = ExclusionsAcct;
+  let _DateCompare = DateCompare;
+  let _CurrentDate = CurrentDate;
+  let _DateCompareB = todatetime(DateCompare);
+  let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)
+  | summarize TimeMax = max(TimeGenerated)
+  | extend TimeMax = tostring(split(TimeMax,"T")[0])
+  | project TimeMax);
+  let _CurrentDateB = todatetime(toscalar(_currD));
+  let BeforeData = 
+      ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)
+      | where CmdletResultValue.Role contains _CurrentRole
+          and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)
+          and CmdletResultValue.Name !contains "Deleg"
+      | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
+      | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup")
+      | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)
+  | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)
+  | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable")
+  | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable")
+      | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)
+      | extend Status= tostring(CmdletResultValue.Enabled)
+      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") 
+      | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
+      | extend Role = tostring(CmdletResultValue.Role)
+      ; 
+  let AfterData = 
+      ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)
+      | where CmdletResultValue.Role contains _CurrentRole
+          and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)
+          and CmdletResultValue.Name !contains "Deleg"
+      | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
+      | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup")
+      | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)
+  | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)
+  | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable")
+  | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable")
+      | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)
+      | extend Status= tostring(CmdletResultValue.Enabled)
+      | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
+      | extend Role = tostring(CmdletResultValue.Role)
+      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") 
+      ;
+  let i=0;
+  let allDataRange = 
+      ESIExchangeConfig_CL
+      | where TimeGenerated between (_DateCompareB .. _CurrentDateB)
+      | where ESIEnvironment_s == _EnvList
+      | where Section_s == "MRA"
+      | extend CmdletResultValue = parse_json(rawData_s)
+      | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t
+      | where CmdletResultValue.Role contains _CurrentRole
+          and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)
+          and CmdletResultValue.Name !contains "Deleg"
+      | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
+      | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup")
+      | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)
+  | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)
+  | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable")
+  | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable")
+      | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)
+      | extend Status= tostring(CmdletResultValue.Enabled)
+      | extend Role = tostring(CmdletResultValue.Role)
+      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") 
+      ;
+  let DiffAddDataP1 = allDataRange
+    | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated
+  ;
+  let DiffAddDataP2 = allDataRange
+      | join kind = innerunique   (allDataRange ) on WhenCreated
+      | where WhenCreated >=_DateCompareB
+      | where bin(WhenCreated,5m)==bin(WhenChanged,5m)
+      | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated
+  ;
+  let DiffAddData = union DiffAddDataP1,DiffAddDataP2
+  | extend Actiontype ="Add";
+  let DiffRemoveData = allDataRange
+      | join kind = leftanti AfterData on RoleAssigneeName
+      | extend Actiontype ="Remove"
+      | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated
+      | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated
+      ;
+  let DiffModifData = union AfterData,allDataRange
+  | sort by ManagementRoleAssignement,WhenChanged asc
+  | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status)
+  | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope)
+  | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope)
+  | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope)
+  | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope)
+  | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍"  or RecipientWriteScope contains"📍"  or ConfigWriteScope contains"📍"   ), i=i + 1, i)
+  | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO")
+  | where ActiontypeR == 1
+  | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated
+  ;
+  union DiffAddData, DiffRemoveData, DiffModifData
+  | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName))
+  | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged))
+  //| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A")
+  | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A")
+  | sort by WhenChanged desc 
+  | project
+      WhenChanged,
+      Actiontype,
+      RoleAssigneeName,
+      RoleAssigneeType,
+      Status,
+      CustomRecipientWriteScope,
+      CustomConfigWriteScope, 
+      RecipientWriteScope, 
+      ConfigWriteScope,
+      ManagementRoleAssignement,
+      RoleAssignmentDelegationType,
+      WhenCreated
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md
index 56b98e50e99..d3e7780a041 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md	
@@ -28,6 +28,10 @@ Parsers are created [using functions in Azure monitor log queries](https://docs.
     - [Parser Description](#parser-description-3)
     - [Parser dependency](#parser-dependency-1)
     - [Parser Setup](#parser-setup-3)
+  - [Microsoft Exchange Compare Data MRA Parser for On-Premises](#microsoft-exchange-compare-data-mra-parser-for-on-premises)
+    - [Parser Definition](#parser-definition-4)
+    - [Parser Description](#parser-description-4)
+    - [Parser Setup](#parser-setup-4)
 
 ## ExchangeConfiguration Parser
 
@@ -184,3 +188,39 @@ This parser is linked to "ExchangeVIP" whatchlist
 >1 parameter to add during creation : UserToCheck, type string, No default value
  
  1. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries
+
+## Microsoft Exchange Compare Data MRA Parser for On-Premises
+
+### Parser Definition
+
+- Title:           Microsoft Exchange Compare Data MRA Parser for On-Premises
+- Version:         1.0.0
+- Last Updated:    30/08/2024
+- Description:     This parser compare data from MRA and ESI Exchange Collector to find differences
+
+|**Version**  |**Details**  |
+|---------|-----------------------------------------------------------------------------------------------------------------------|
+|v1.0     | <ul><li>Function initilisation for Sentinel Solution</li></ul> |
+
+### Parser Description
+
+This parser compare data from MRA and ESI Exchange Collector to find differences
+
+### Parser Setup
+
+ 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window.
+ 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "MESCompareDataMRA".
+ 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries
+ 4. This parser is linked to "MRA" and "ESI Exchange Collector" tables
+
+>#### **Parameters:**
+
+>7 parameter to add during creation :
+>
+>  1. SectionCompare, type string, default value ""
+>  2. DateCompare, type string, default value "lastdate"
+>  3. CurrentDate, type string, default value "lastdate"
+>  4. EnvList, type string, default value "All"
+>  5. TypeEnv, type string, default value "Online"
+>  6. CurrentRole, type string, default value ""
+>  7. ExclusionsAcct, type dynamic, default value dynamic("")
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md
index e5216daeaad..14f533df77a 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md	
@@ -1,7 +1,9 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
-| 3.1.5       | 27-09-2024                     | Fixed Spelling error in title of **Data Connector**  |
-|             | 26-04-2024                     | Repackaged for fix on parser in maintemplate to have old parsername and parentid  |
+| 3.3.0       | 26-08-2024                     | Add Compare in Exchange Security Review. Create DataConnectors for Azure Monitor Agent. Correct bugs      |
+| 3.2.0       | 09-04-2024                     | Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors      |
+| 3.1.5       | 26-04-2024                     | Fix Typpo in DataConnector                  |
+|             |                                | Repackaged for fix on parser in maintemplate to have old parsername and parentid                    |
 | 3.1.4       | 18-04-2024                     | Repackaged for parser issue while redeployment      |
 | 3.1.3       | 10-04-2024                     | Updated DataConnector last Log indicator and IsConnected queries by including Application and System Log Event Types      |
 | 3.1.2       | 20-02-2024                     | Correct DataConnector last Log indicator and IsConnected queries      |
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json
index 50428e48bc4..4f96d1b47be 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json	
@@ -26,10 +26,12 @@
             "query": "ExchangeEnvironmentList(Target=\"On-Premises\") | where ESIEnvironment != \"\"",
             "typeSettings": {
               "limitSelectTo": 1,
+              "additionalResourceOptions": [],
               "showDefault": false
             },
             "queryType": 0,
-            "resourceType": "microsoft.operationalinsights/workspaces"
+            "resourceType": "microsoft.operationalinsights/workspaces",
+            "value": []
           },
           {
             "id": "a88b4e41-eb2f-41bf-92d8-27c83650a4b8",
@@ -40,11 +42,26 @@
             "isRequired": true,
             "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter  ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n    | where ScopedEnvironment in (_configurationEnv)\r\n    | where TimeGenerated > ago(90d)\r\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n    | summarize by Collection \r\n    | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n        | where ScopedEnvironment in (_configurationEnv)\r\n        | where TimeGenerated > ago(90d)\r\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n        | summarize by PreciseCollection, Collection \r\n        | join kind=leftouter (\r\n            ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n            | where ScopedEnvironment in (_configurationEnv)\r\n            | where TimeGenerated > ago(90d)\r\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n            | summarize by PreciseCollection, Collection \r\n            | summarize count() by Collection\r\n        ) on Collection\r\n    ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc",
             "typeSettings": {
+              "additionalResourceOptions": [],
               "showDefault": false
             },
             "queryType": 0,
             "resourceType": "microsoft.operationalinsights/workspaces"
           },
+          {
+            "id": "cfc36178-c5d7-4f69-87f5-b887e722f968",
+            "version": "KqlParameterItem/1.0",
+            "name": "Compare_Collect",
+            "label": "CompareCollect",
+            "type": 10,
+            "description": "If this sesstion is checked, two collection will be compared",
+            "isRequired": true,
+            "typeSettings": {
+              "additionalResourceOptions": [],
+              "showDefault": false
+            },
+            "jsonData": "[\r\n { \"value\": \"True\", \"label\": \"Yes\" },\r\n { \"value\": \"True,False\", \"label\": \"No\", \"selected\":true }\r\n]"
+          },
           {
             "id": "8ac96eb3-918b-4a36-bcc4-df50d8f46175",
             "version": "KqlParameterItem/1.0",
@@ -52,7 +69,7 @@
             "label": "Show Help",
             "type": 10,
             "isRequired": true,
-            "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}",
+            "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}\r\n",
             "timeContext": {
               "durationMs": 2592000000
             },
@@ -65,10 +82,42 @@
       },
       "name": "TimeRange"
     },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "0a7e59b0-755e-40c9-a4e0-ec7f516e991c",
+            "version": "KqlParameterItem/1.0",
+            "name": "DateCompare",
+            "type": 2,
+            "description": "This date must be older than the date configured in the Date of configuration",
+            "isRequired": true,
+            "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter  ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n    | where ScopedEnvironment in (_configurationEnv)\r\n    | where TimeGenerated > ago(90d)\r\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n    | summarize by Collection \r\n    | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n        | where ScopedEnvironment in (_configurationEnv)\r\n        | where TimeGenerated > ago(90d)\r\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n        | summarize by PreciseCollection, Collection \r\n        | join kind=leftouter (\r\n            ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n            | where ScopedEnvironment in (_configurationEnv)\r\n            | where TimeGenerated > ago(90d)\r\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n            | summarize by PreciseCollection, Collection \r\n            | summarize count() by Collection\r\n        ) on Collection\r\n    ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc",
+            "typeSettings": {
+              "additionalResourceOptions": [],
+              "showDefault": false
+            },
+            "queryType": 0,
+            "resourceType": "microsoft.operationalinsights/workspaces"
+          }
+        ],
+        "style": "above",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "Compare_Collect",
+        "comparison": "isEqualTo",
+        "value": "True"
+      },
+      "name": "TimeRange - Copy"
+    },
     {
       "type": 1,
       "content": {
-        "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"",
+        "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"**\r\n\r\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\r\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\r\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\r\n\r\n**Important notes** : Some information are limited are may be not 100% accurate :\r\n  - Date\r\n  - When a fied is modified several times in the range, only first and last values will be displayed\r\n  - **Remove Time is displayed the date of the last collect and not the exact remove time**\r\n  - ... \r\n\r\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\r\nFor more details information, please check the workbook **\"Microsoft Exchange Search AdminAuditLog\"**\r\n.\r\n\r\nThe compare functionnality may not be available for all sections in this workbook.\r\n",
         "style": "info"
       },
       "name": "text - 9"
@@ -161,7 +210,7 @@
       "content": {
         "version": "NotebookGroup/1.0",
         "groupType": "editable",
-        "title": "Security Configuration for the Exchange environment",
+        "title": "Security Configuration for the Exchange Environment",
         "items": [
           {
             "type": 1,
@@ -173,7 +222,7 @@
           {
             "type": 1,
             "content": {
-              "json": "This section display the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : <a href=\" https://docs.microsoft.com/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\" target=\"_blank\">Exchange Build Numbers</a>\r\n\r\nThis section is built from a file located in the public github repository.\r\nThe repository is manually updated by the team project  when new CU/SU are released.\r\n",
+              "json": "This section displays the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : <a href=\" https://docs.microsoft.com/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\" target=\"_blank\">Exchange Build Numbers</a>\r\n\r\nThis section is built from a file located in the public GitHub repository.\r\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\r\n",
               "style": "info"
             },
             "conditionalVisibility": {
@@ -187,7 +236,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend  Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\",  VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n",
+              "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend  Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\",  VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n",
               "size": 1,
               "showAnalytics": true,
               "title": "Exchange servers CU-SU level",
@@ -209,7 +258,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend  Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version",
+              "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend  VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend  VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend  Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter  (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version",
               "size": 0,
               "showAnalytics": true,
               "title": "Version break down",
@@ -231,7 +280,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\r\n\r\n<a href=\"https://learn.microsoft.com /exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging?view=exchserver-2019\" target=\"_blank\">Admin Audit Log </a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/admin-audit-logging/manage-admin-audit-logging?view=exchserver-2019\" target=\"_blank\">Manage Admin Audit Log </a>\r\n\r\n\r\nThis can be used to track \r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content",
+                    "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\r\n\r\n<a href=\"https://learn.microsoft.com /exchange/policy-and-compliance/admin-audit-logging/admin-audit-logging?view=exchserver-2019\" target=\"_blank\">Admin Audit Log </a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/admin-audit-logging/manage-admin-audit-logging?view=exchserver-2019\" target=\"_blank\">Manage Admin Audit Log </a>\r\n\r\n\r\nThis can be used to track :\r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -244,7 +293,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit."
+                    "json": "Here the main settings for the Admin Audit Log. \r\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit."
                   },
                   "name": "text - 0"
                 },
@@ -252,7 +301,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case(  isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")",
+                    "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case(  isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")",
                     "size": 1,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -287,19 +336,31 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet _CurrentDateB =  datetime_add('day', 1, todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n    | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n    | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n    | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n    | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n    | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n    | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n    | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n    | project-away CmdletResultValue\r\n    | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n    | extend WhenChanged = todatetime(WhenChanged)\r\n    | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n    | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n    | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n    | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n    | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n    | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n    | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n    | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n    | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n    | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n    | project-away CmdletResultValue\r\n    | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n    | extend WhenChanged = todatetime(WhenChanged)\r\n    | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet i=0;\r\nlet DiffModifData = union AfterData, BeforeData\r\n    | sort by WhenChanged asc \r\n    | project\r\n        WhenChanged,\r\n        AdminAuditLogAgeLimit,\r\n        AdminAuditLogCmdlets,\r\n        Comment_AdminAuditLogCmdlets,\r\n        AdminAuditLogExcludedCmdlets,\r\n        Comment_AdminAuditLogExcludedCmdlet,\r\n        WhenCreated\r\n    | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \"\", strcat(\"📍 \", AdminAuditLogAgeLimit, \" (\", prev(AdminAuditLogAgeLimit), \"->\", AdminAuditLogAgeLimit, \" )\"), AdminAuditLogAgeLimit)\r\n    | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogCmdlets, \" (\", prev(AdminAuditLogCmdlets), \"->\", AdminAuditLogCmdlets, \" )\"), AdminAuditLogCmdlets)\r\n    | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", Comment_AdminAuditLogCmdlets, \" (\", prev(Comment_AdminAuditLogCmdlets), \"->\", Comment_AdminAuditLogCmdlets, \" )\"), Comment_AdminAuditLogCmdlets)\r\n    | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogExcludedCmdlets, \" (\", prev(AdminAuditLogExcludedCmdlets), \"->\", AdminAuditLogExcludedCmdlets, \" )\"), AdminAuditLogExcludedCmdlets)\r\n    | extend Comment_AdminAuditLogExcludedCmdlet  = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \"\", strcat(\"📍 \", Comment_AdminAuditLogExcludedCmdlet, \" (\", prev(Comment_AdminAuditLogExcludedCmdlet), \"->\", Comment_AdminAuditLogExcludedCmdlet, \" )\"), Comment_AdminAuditLogExcludedCmdlet)\r\n    | extend ActiontypeR =iff(( AdminAuditLogAgeLimit  contains \"📍\" or AdminAuditLogCmdlets contains \"📍\" or Comment_AdminAuditLogCmdlets contains \"📍\" or AdminAuditLogExcludedCmdlets contains \"📍\" or Comment_AdminAuditLogExcludedCmdlet contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        AdminAuditLogAgeLimit,\r\n        AdminAuditLogCmdlets,\r\n        Comment_AdminAuditLogCmdlets,\r\n        AdminAuditLogExcludedCmdlets,\r\n        Comment_AdminAuditLogExcludedCmdlet,\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n    WhenChanged,\r\n    AdminAuditLogAgeLimit,\r\n    AdminAuditLogCmdlets,\r\n    Comment_AdminAuditLogCmdlets,\r\n    AdminAuditLogExcludedCmdlets,\r\n    Comment_AdminAuditLogExcludedCmdlet",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "title": "AdminAuditLog settings comparaison",
+                    "noDataMessage": "No modification",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 3"
                 }
               ]
             },
             "name": "group - 0Admin Audit Log configuration"
           },
-          {
-            "type": 12,
-            "content": {
-              "version": "NotebookGroup/1.0",
-              "groupType": "editable"
-            },
-            "name": "POP authentication configuration"
-          },
           {
             "type": 1,
             "content": {
@@ -310,7 +371,7 @@
           {
             "type": 1,
             "content": {
-              "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110.  Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110  must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those who need to actually use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\n<a href=\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \" target=\"_blank\">Configuring Authentication for POP3 and IMAP4</a>\r\n \r\n<a href=\"https://technet.microsoft.com/library/aa997154(v=exchg.160).aspx\" target=\"_blank\"> Set-PopSettings</a>\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1  -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location :    - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n",
+              "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110.  Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110  must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those which really need to use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\n<a href=\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \" target=\"_blank\">Configuring Authentication for POP3 and IMAP4</a>\r\n \r\n<a href=\"https://technet.microsoft.com/library/aa997154(v=exchg.160).aspx\" target=\"_blank\"> Set-PopSettings</a>\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1  -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location :    - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n",
               "style": "info"
             },
             "conditionalVisibility": {
@@ -324,7 +385,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status =  tostring(Status)\r\n| extend BackendEndService=  tostring(ServiceName1)\r\n| extend StartupType =  tostring(StartupType)\r\n| extend BEStatus =  tostring(Status1)\r\n| extend BEStartupType =  tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc",
+              "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status =  tostring(Status)\r\n| extend BackendEndService=  tostring(ServiceName1)\r\n| extend StartupType =  tostring(StartupType)\r\n| extend BEStatus =  tostring(Status1)\r\n| extend BEStartupType =  tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc",
               "size": 1,
               "showAnalytics": true,
               "title": "Pop Authentication : should not be set as Plaintext",
@@ -361,6 +422,35 @@
               "showBorder": true
             }
           },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "title": "POP settings comparaison",
+              "items": [
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB =  datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n     ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n    | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n    | extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n    | extend Status =  tostring(Status)\r\n    | extend BackendEndService=  tostring(ServiceName1)\r\n    | extend StartupType =  tostring(StartupType)\r\n    | extend BEStatus =  tostring(Status1)\r\n    | extend BEStartupType =  tostring(StartupType1)\r\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n    | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n     ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n    | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n    | extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n    | extend Status =  tostring(Status)\r\n    | extend BackendEndService=  tostring(ServiceName1)\r\n    | extend StartupType =  tostring(StartupType)\r\n    | extend BEStatus =  tostring(Status1)\r\n    | extend BEStartupType =  tostring(StartupType1)\r\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n    | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by ServerName,TimeGenerated asc\r\n    | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n    | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n    | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n    | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n    | extend BEStatus  = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n    | extend BEStartupType  = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n    | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        TimeGenerated,\r\n        Actiontype,\r\n        ServerName,\r\n        LoginType,\r\n        ProtocolLogEnabled,\r\n        Status,\r\n        StartupType,\r\n        BEStatus,\r\n        BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n    ServerName,\r\n    LoginType,\r\n    ProtocolLogEnabled,\r\n    Status,\r\n    StartupType,\r\n    BEStatus, \r\n    BEStartupType",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "Compare"
+                }
+              ]
+            },
+            "name": "POP authentication configuration"
+          },
           {
             "type": 1,
             "content": {
@@ -371,7 +461,7 @@
           {
             "type": 1,
             "content": {
-              "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110.  User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\n<a href=\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \" target=\"_blank\">Configuring Authentication for POP3 and IMAP4</a>\r\n\r\n<a href=\"https://technet.microsoft.com/library/aa998252(v=exchg.160).aspx\" target=\"_blank\"> Set-IMAPSettings</a>\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1  -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location :  Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n",
+              "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110.  User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\n<a href=\"https://technet.microsoft.com/library/aa997188(v=exchg.141).aspx \" target=\"_blank\">Configuring Authentication for POP3 and IMAP4</a>\r\n\r\n<a href=\"https://technet.microsoft.com/library/aa998252(v=exchg.160).aspx\" target=\"_blank\"> Set-IMAPSettings</a>\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1  -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location :  Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n",
               "style": "info"
             },
             "conditionalVisibility": {
@@ -385,7 +475,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status =  tostring(Status)\r\n| extend BackendEndService=  tostring(ServiceName1)\r\n| extend StartupType =  tostring(StartupType)\r\n| extend BEStatus =  tostring(Status1)\r\n| extend BEStartupType =  tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc",
+              "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status =  tostring(Status)\r\n| extend BackendEndService=  tostring(ServiceName1)\r\n| extend StartupType =  tostring(StartupType)\r\n| extend BEStatus =  tostring(Status1)\r\n| extend BEStartupType =  tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc",
               "size": 1,
               "showAnalytics": true,
               "title": "IMAP Authentication  : should not be set as Plaintext",
@@ -415,6 +505,25 @@
               "showBorder": true
             }
           },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB =  datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n     ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n    | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n    | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n    | extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n    | extend Status =  tostring(Status)\r\n    | extend BackendEndService=  tostring(ServiceName1)\r\n    | extend StartupType =  tostring(StartupType)\r\n    | extend BEStatus =  tostring(Status1)\r\n    | extend BEStartupType =  tostring(StartupType1)\r\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n    | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n     ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n    | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n    | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n    | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n    | extend ServerName =  tostring(CmdletResultValue.Server.Name)\r\n    | extend LoginType =  iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n    | extend ProtocolLogEnabled =  tostring(CmdletResultValue.ProtocolLogEnabled)\r\n    | extend ServiceName =  iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n    | extend Status =  tostring(Status)\r\n    | extend BackendEndService=  tostring(ServiceName1)\r\n    | extend StartupType =  tostring(StartupType)\r\n    | extend BEStatus =  tostring(Status1)\r\n    | extend BEStartupType =  tostring(StartupType1)\r\n    | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n    | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by ServerName,TimeGenerated asc\r\n    | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n    | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n    | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n    | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n    | extend BEStatus  = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n    | extend BEStartupType  = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n    | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        Actiontype,\r\n        ServerName,\r\n        LoginType,\r\n        ProtocolLogEnabled,\r\n        Status,\r\n        StartupType,\r\n        BEStatus,\r\n        BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n    ServerName,\r\n    LoginType,\r\n    ProtocolLogEnabled,\r\n    Status,\r\n    StartupType,\r\n    BEStatus, \r\n    BEStartupType",
+              "size": 1,
+              "showAnalytics": true,
+              "title": "IMAP settings comparaison",
+              "showExportToExcel": true,
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces"
+            },
+            "conditionalVisibility": {
+              "parameterName": "Compare_Collect",
+              "comparison": "isEqualTo",
+              "value": "True"
+            },
+            "name": "Compare - Copy"
+          },
           {
             "type": 12,
             "content": {
@@ -425,14 +534,14 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed"
+                    "json": "This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \r\nAlso Standard, Deny and inherited permissions have been removed"
                   },
                   "name": "text - 0"
                 },
                 {
                   "type": 1,
                   "content": {
-                    "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the Generic All permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\"> Exchange 2013 deployment permissions reference</a>\r\n \r\n",
+                    "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the **Generic All** permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\"> Exchange 2013 deployment permissions reference</a>\r\n \r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -488,15 +597,15 @@
                       "filter": true,
                       "sortBy": [
                         {
-                          "itemKey": "AccessRights",
-                          "sortOrder": 1
+                          "itemKey": "DN",
+                          "sortOrder": 2
                         }
                       ]
                     },
                     "sortBy": [
                       {
-                        "itemKey": "AccessRights",
-                        "sortOrder": 1
+                        "itemKey": "DN",
+                        "sortOrder": 2
                       }
                     ]
                   },
@@ -504,6 +613,25 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let StandardGroup = dynamic([\"Authenticated Users\", \"Domain Admins\", \"Enterprise Admins\", \"Schema Admins\", \"Exchange Trusted Subsystem\", \"Exchange Servers\", \"Organization Management\", \"Public Folder Management\", \"Delegated Setup\", \"ANONYMOUS LOGON\", \"NETWORK SERVICE\", \"SYSTEM\", \"Everyone\", \"Managed Availability Servers\"]);\r\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B119E5', Target = \"On-Premises\")\r\n    | summarize make_list(CmdletResultValue.Name);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"PartConfPerm\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n    | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\r\n    | extend Account =  tostring(CmdletResultValue.UserString )\r\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\r\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n    | project-away CmdletResultValue\r\n    | sort by Name,Account  desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n    | join kind = innerunique     (allDataRange) on AllInfo   \r\n    | distinct \r\n         Name, \r\n         Account, \r\n         AccessRights, \r\n         ExtendedRights, \r\n         InheritanceType, \r\n         DN,\r\n         AllInfo\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n    | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\r\n    | extend Account =  tostring(CmdletResultValue.UserString )\r\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\r\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n    | project-away CmdletResultValue\r\n    | sort by Name,Account  desc\r\n    ;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n    | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n    | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n    | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n    | extend Name =  tostring(CmdletResultValue.Identity.Name)\r\n    | extend Account =  tostring(CmdletResultValue.UserString )\r\n    | extend AccessRights =  iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n    | extend ExtendedRights =   iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n    | extend InheritanceType =  tostring(CmdletResultValue.InheritanceType)\r\n    | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n    | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n    | project-away CmdletResultValue\r\n    | sort by Name,Account desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n    | join kind = leftanti  (AfterData) on AllInfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n    | join kind = innerunique    (BeforeData) on AllInfo\r\n    | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n    | join kind = leftanti    (InBeforedatabotAfter) on AllInfo\r\n    | extend Actiontype =\"Add/Remove\"\r\n    | project         \r\n        Actiontype,\r\n        Name, \r\n        Account, \r\n        AccessRights, \r\n        ExtendedRights, \r\n        InheritanceType, \r\n        DN \r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on AllInfo\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n    Actiontype,\r\n    Name, \r\n    Account, \r\n    AccessRights, \r\n    ExtendedRights, \r\n    InheritanceType, \r\n    DN ",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "title": "Compare NonStandard Permissions for Exchange Container in the Configuration Partition",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "Compare - Copy - Copy"
                 }
               ]
             },
@@ -535,7 +663,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n//| where CmdletResultValue.Name !contains \"Deleg\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and  CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| where CmdletResultValue.Name !contains \"Deleg\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name contains \"Export\" or CmdletResultValue.Role.Name contains \"Impersonation\" or (CmdletResultValue.Role.Name contains \"Search\" and CmdletResultValue.Role.Name !contains \"MailboxSearchApplication\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)",
+              "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" or CmdletResultValue.Role.Name == \"ApplicationImpersonation\" or (CmdletResultValue.Role.Name == \"Mailbox Search\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)",
               "size": 1,
               "showAnalytics": true,
               "title": "Number of delegations for sensitive RBAC roles",
@@ -580,14 +708,14 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "This delegation allows the delegated account to access and modify the content of every mailboxes using EWS."
+                    "json": "This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Hygiene Management group as it is a default delegation"
                   },
                   "name": "text - 0"
                 },
                 {
                   "type": 1,
                   "content": {
-                    "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help\" target=\"_blank\">Help for the role Application Impersonation</a>\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\n\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.",
+                    "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help\" target=\"_blank\">Help for the role Application Impersonation</a>\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -601,9 +729,42 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name contains \"Impersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.Name !contains \"Deleg\"\r\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name == \"ApplicationImpersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "rowLimit": 10000,
+                      "filter": true,
+                      "sortBy": [
+                        {
+                          "itemKey": "RoleAssignmentDelegationType",
+                          "sortOrder": 1
+                        }
+                      ]
+                    },
+                    "sortBy": [
+                      {
+                        "itemKey": "RoleAssignmentDelegationType",
+                        "sortOrder": 1
+                      }
+                    ]
+                  },
+                  "name": "query - 1",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Impersonation\")",
                     "size": 1,
                     "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
                     "showExportToExcel": true,
                     "queryType": 0,
                     "resourceType": "microsoft.operationalinsights/workspaces",
@@ -612,10 +773,22 @@
                       "filter": true
                     }
                   },
-                  "name": "query - 1",
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 1 - Copy",
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**"
+                  },
+                  "name": "text - 4"
                 }
               ]
             },
@@ -638,7 +811,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "**Mailbox Import Export**  is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mailbox-import-export-role-exchange-2013-help\" target=\"_blank\">Help for the role Mailbox Import Export</a>\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- create an empty group with this delegation\r\n- monitor the group content and  alert when the group modified\r\n- add administrators in this group only for a short period of time.\r\n",
+                    "json": "**Mailbox Import Export**  is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mailbox-import-export-role-exchange-2013-help\" target=\"_blank\">Help for the role Mailbox Import Export</a>\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- Create an empty group with this delegation\r\n- Monitor the group content and  alert when the group content  is modified\r\n- Add administrators in this group only for a short period of time\r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -652,7 +825,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"export\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
                     "size": 1,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -679,6 +852,39 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"export\")",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "rowLimit": 10000,
+                      "filter": true
+                    }
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 1",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**"
+                  },
+                  "name": "text - 4"
                 }
               ]
             },
@@ -694,14 +900,14 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\nDelegating delegation to Organization Management\r\nExchange Online-ApplicationAccount\r\nDiscovery Management has been excluded\r\n"
+                    "json": "This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Delegation for the account Exchange Online-Application\r\n- Delegation for the group Discovery Management \r\n"
                   },
                   "name": "text - 0"
                 },
                 {
                   "type": 1,
                   "content": {
-                    "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mailbox-search-role-exchange-2013-help\" target=\"_blank\">Help for the role Mailbox Search</a>\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- add the administrators in the Discovery Management group\r\n- monitor the group content and alert when the group modified\r\n- add administrators in this group only for a short period of time\r\n",
+                    "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mailbox-search-role-exchange-2013-help\" target=\"_blank\">Help for the role Mailbox Search</a>\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- Temporarily add the administrators in the Discovery Management group\r\n- Monitor the group content and alert when the group is modified\r\n- Add administrators in this group only for a short period of time\r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -715,7 +921,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"search\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Search\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged",
                     "size": 1,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -742,6 +948,39 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Search\")",
+                    "size": 1,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "rowLimit": 10000,
+                      "filter": true
+                    }
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 1",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**"
+                  },
+                  "name": "text - 4"
                 }
               ]
             },
@@ -757,7 +996,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "These are delegations at the database level.\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\n<a href=\"https://technet.microsoft.com/library/bb123879(v=exchg.80).aspx\" target=\"_blank\">Help for Receive As Permission</a>\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\n<a href=\"https://technet.microsoft.com/ library/bb123879(v=exchg.80).aspx\" target=\"_blank\">Help for Send As Permission</a>\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n",
+                    "json": "These sections display delegations at the database level (the database Object, not the container) ..\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\n<a href=\"https://technet.microsoft.com/library/bb123879(v=exchg.80).aspx\" target=\"_blank\">Help for Receive As Permission</a>\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\r\nChange the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\n<a href=\"https://technet.microsoft.com/ library/bb123879(v=exchg.80).aspx\" target=\"_blank\">Help for Send As Permission</a>\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\r\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \r\nChange the password as often as possible.\r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -767,11 +1006,41 @@
                   },
                   "name": "SendAsHelp"
                 },
+                {
+                  "type": 9,
+                  "content": {
+                    "version": "KqlParameterItem/1.0",
+                    "parameters": [
+                      {
+                        "id": "eb0af112-df51-47f5-8849-b3ee764fa72d",
+                        "version": "KqlParameterItem/1.0",
+                        "name": "IsInherited",
+                        "label": "Included Inherited deleg",
+                        "type": 10,
+                        "description": "Yes Show all the delegations (Databases object and Database Containers), No only databases objects",
+                        "isRequired": true,
+                        "typeSettings": {
+                          "additionalResourceOptions": [],
+                          "showDefault": false
+                        },
+                        "jsonData": "[\r\n { \"value\": \"false\", \"label\": \"No\" , \"selected\":true },\r\n { \"value\": \"true, false\", \"label\": \"Yes\"}\r\n]",
+                        "timeContext": {
+                          "durationMs": 86400000
+                        },
+                        "value": "true, false"
+                      }
+                    ],
+                    "style": "pills",
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
+                  },
+                  "name": "parameters - 7"
+                },
                 {
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")",
                     "size": 1,
                     "showAnalytics": true,
                     "title": "Number of accounts with ReceiveAs/SendAs delegations",
@@ -811,10 +1080,10 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")",
                     "size": 1,
                     "showAnalytics": true,
-                    "title": "ReceiveAs/SendAs database delegations",
+                    "title": "Databases with ReceiveAs/SendAs delegations",
                     "color": "purple",
                     "showExportToExcel": true,
                     "queryType": 0,
@@ -855,7 +1124,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account,DatabaseName\r\n| project Account,Count,DatabaseName\r\n",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited\r\n",
                     "size": 1,
                     "showAnalytics": true,
                     "title": "ReceiveAs Extended Right on databases",
@@ -918,12 +1187,10 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account, DatabaseName\r\n| project Account, Count, DatabaseName",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited",
                     "size": 1,
                     "showAnalytics": true,
                     "title": "SendAs Extended Right on databases",
-                    "noDataMessage": "No Send-As delegation",
-                    "noDataMessageStyle": 3,
                     "showExportToExcel": true,
                     "queryType": 0,
                     "resourceType": "microsoft.operationalinsights/workspaces",
@@ -932,20 +1199,8 @@
                         {
                           "columnMatch": "Account",
                           "formatter": 5
-                        },
-                        {
-                          "columnMatch": "Count",
-                          "formatter": 8,
-                          "formatOptions": {
-                            "palette": "blue",
-                            "aggregation": "Sum",
-                            "compositeBarSettings": {
-                              "labelText": ""
-                            }
-                          }
                         }
                       ],
-                      "rowLimit": 10000,
                       "filter": true,
                       "hierarchySettings": {
                         "treeType": 1,
@@ -953,35 +1208,75 @@
                           "Account"
                         ],
                         "finalBy": "Account"
-                      },
-                      "labelSettings": [
-                        {
-                          "columnId": "Account",
-                          "comment": "Account and the number of databases on which it has delegation "
-                        }
-                      ]
+                      }
                     }
                   },
                   "customWidth": "50",
-                  "name": "MailboxDatabaseSendAsGrid",
+                  "name": "SendAs Extended Right on databases",
                   "styleSettings": {
                     "showBorder": true
                   }
-                }
-              ]
-            },
-            "name": "ReceiveSendAs"
-          }
-        ]
-      },
-      "conditionalVisibility": {
-        "parameterName": "selected",
-        "comparison": "isEqualTo",
-        "value": "Delegation"
-      },
-      "name": "Importantsecurityconfiguration"
-    },
-    {
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"MailboxDatabaseReceiveAs\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n        | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n    | extend Account = tostring(CmdletResultValue.UserString)\r\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n    | extend Allinfo = strcat(Account,DatabaseName)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n    | join kind = innerunique     (allDataRange) on Allinfo   \r\n    | distinct \r\n    Account,\r\n    DatabaseName,\r\n    IsInherited,\r\n    Allinfo\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n    | extend Account = tostring(CmdletResultValue.UserString)\r\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n    | extend Allinfo = strcat(Account,DatabaseName)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Account\r\n    ;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n        | project CmdletResultValue\r\n        | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n        | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n        | extend Account = tostring(CmdletResultValue.UserString)\r\n        | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n        | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n        | extend Allinfo = strcat(Account,DatabaseName)\r\n        | extend CmdletResultV = tostring(CmdletResultValue)\r\n        | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n    | join kind = leftanti  (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n    | join kind = innerunique    (BeforeData) on Allinfo\r\n    | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\r\n    | extend Actiontype =\"Add/Remove\"\r\n    | project         \r\n        Actiontype,\r\n        Account,\r\n        DatabaseName,\r\n        IsInherited,\r\n        Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Allinfo\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n    Actiontype,\r\n    Account,\r\n    DatabaseName,\r\n    IsInherited",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Comparaison ReceiveAs",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "filter": true
+                    }
+                  },
+                  "customWidth": "50",
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 5"
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"MailboxDatabaseSendAs\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n    | extend Account = tostring(CmdletResultValue.UserString)\r\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n    | extend Allinfo = strcat(Account,DatabaseName)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n    | join kind = innerunique     (allDataRange) on Allinfo   \r\n    | distinct \r\n    Account,\r\n    DatabaseName,\r\n    IsInherited,\r\n    Allinfo\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n    | extend Account = tostring(CmdletResultValue.UserString)\r\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n    | extend Allinfo = strcat(Account,DatabaseName)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Account\r\n    ;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n    | where (CmdletResultValue.IsInherited  == false ) in ({IsInherited})\r\n    | extend Account = tostring(CmdletResultValue.UserString)\r\n    | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n    | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n    | extend Allinfo = strcat(Account,DatabaseName)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n    | join kind = leftanti  (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n    | join kind = innerunique    (BeforeData) on Allinfo\r\n    | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\r\n    | extend Actiontype =\"Add/Remove\"\r\n    | project         \r\n        Actiontype,\r\n        Account,\r\n        DatabaseName,\r\n        IsInherited,\r\n        Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Allinfo\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n    Actiontype,\r\n    Account,\r\n    DatabaseName,\r\n    IsInherited",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Comparaison SendAs",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "filter": true
+                    }
+                  },
+                  "customWidth": "50",
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 5 - Copy"
+                }
+              ]
+            },
+            "name": "ReceiveSendAs"
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "selected",
+        "comparison": "isEqualTo",
+        "value": "Delegation"
+      },
+      "name": "Importantsecurityconfiguration"
+    },
+    {
       "type": 12,
       "content": {
         "version": "NotebookGroup/1.0",
@@ -991,14 +1286,14 @@
           {
             "type": 1,
             "content": {
-              "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information  but with differents sorting, displays..."
+              "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information  but with different sorting, views...\r\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation."
             },
             "name": "text - 12"
           },
           {
             "type": 1,
             "content": {
-              "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review  the content of the local Administrators group on a regular basis.\r\n\r\nIt is considered a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \r\n",
+              "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review  the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\r\n\r\nIt is considered as a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\n",
               "style": "info"
             },
             "conditionalVisibility": {
@@ -1031,6 +1326,13 @@
             },
             "name": "parameters - 7"
           },
+          {
+            "type": 1,
+            "content": {
+              "json": "**Yes** : display all content including the default Groups :  Default groups after the installation of Exchange\r\n\r\n**No** : display only content of non standard Groups"
+            },
+            "name": "text - 15"
+          },
           {
             "type": 1,
             "content": {
@@ -1077,8 +1379,9 @@
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Click to see number of unique members for all servers",
+              "title": "Click to see number of unique members for every servers in the organization",
               "expandable": true,
+              "expanded": true,
               "items": [
                 {
                   "type": 1,
@@ -1131,7 +1434,7 @@
               "version": "KqlItem/1.0",
               "query": "let allsrv = ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | where \r\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Name = tostring(trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\r\n| distinct Name\r\n| project Name\r\n| join kind=rightanti (allsrv) on Name\r\n| project CmdletResultValue.Name",
               "size": 4,
-              "title": "Servers not reachable",
+              "title": "Servers not reachable during the collect",
               "noDataMessage": "All server were successfully analyzed",
               "noDataMessageStyle": 3,
               "queryType": 0,
@@ -1159,7 +1462,7 @@
               "version": "KqlItem/1.0",
               "query": "ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.ServerRole <> 64\r\n| count\r\n",
               "size": 4,
-              "title": "Number of servers",
+              "title": "Total number of servers in the Organizaton",
               "queryType": 0,
               "resourceType": "microsoft.operationalinsights/workspaces",
               "visualization": "tiles",
@@ -1210,7 +1513,7 @@
           {
             "type": 1,
             "content": {
-              "json": "This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\r\n- **inconsistent memebrs** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ",
+              "json": "This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\r\n- **inconsistent members** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ",
               "style": "info"
             },
             "conditionalVisibility": {
@@ -1220,6 +1523,61 @@
             },
             "name": "LocalAdminPerServersHelp"
           },
+          {
+            "type": 1,
+            "content": {
+              "json": "This tabled shows a comparaison of the content between two dates.",
+              "style": "info"
+            },
+            "conditionalVisibility": {
+              "parameterName": "Compare_Collect",
+              "comparison": "isEqualTo",
+              "value": "True"
+            },
+            "name": "LocalAdminPerServersHelp - Copy"
+          },
+          {
+            "type": 9,
+            "content": {
+              "version": "KqlParameterItem/1.0",
+              "parameters": [
+                {
+                  "id": "590a6eb9-3349-46cd-ace1-cae9aac1f26a",
+                  "version": "KqlParameterItem/1.0",
+                  "name": "Server",
+                  "type": 2,
+                  "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup",
+                  "typeSettings": {
+                    "additionalResourceOptions": []
+                  },
+                  "queryType": 0,
+                  "resourceType": "microsoft.operationalinsights/workspaces",
+                  "value": null
+                }
+              ],
+              "style": "pills",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces"
+            },
+            "name": "parameters - 18"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"LocalAminGroup\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AlldataUnique = allDataRange\r\n    | join kind = innerunique     (allDataRange) on Allinfo   \r\n    | distinct \r\n    Parentgroup,\r\n    MemberPath, \r\n    Level, \r\n    ObjectClass, \r\n    LastLogon, \r\n    LastPwdSet, \r\n    Enabled, \r\n    DN,\r\n    Allinfo\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n    ;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n    | join kind = leftanti  (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n    | join kind = innerunique    (BeforeData) on Allinfo\r\n    | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\r\n    | extend Actiontype =\"Add/Remove\"\r\n    | project         \r\n        Actiontype,\r\n        Parentgroup,\r\n        MemberPath, \r\n        Level, \r\n        ObjectClass, \r\n        LastLogon, \r\n        LastPwdSet, \r\n        Enabled, \r\n        DN\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Allinfo\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n    Actiontype,\r\n    Parentgroup, \r\n    MemberPath, \r\n    Level, \r\n    ObjectClass, \r\n    LastLogon,  \r\n    LastPwdSet, \r\n    Enabled, \r\n    DN\r\n| where Parentgroup contains \"{Server}\"",
+              "size": 3,
+              "showAnalytics": true,
+              "title": "To view the comparaison for one specific server, select a server in the dropdown list",
+              "showExportToExcel": true,
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "gridSettings": {
+                "filter": true
+              }
+            },
+            "name": "query - 17"
+          },
           {
             "type": 3,
             "content": {
@@ -1227,7 +1585,7 @@
               "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| project  Parentgroup = strcat(\"💻  \",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| sort by Parentgroup asc ",
               "size": 1,
               "showAnalytics": true,
-              "title": " Total Non standard Groups and accounts including nested groups",
+              "title": " Total per server of Non standard Groups and accounts including nested groups",
               "showExportToExcel": true,
               "queryType": 0,
               "resourceType": "microsoft.operationalinsights/workspaces",
@@ -1290,7 +1648,7 @@
               "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away  CmdletResultValue\r\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\r\n| summarize Count=count() by MemberPath,Parentgroup \r\n| sort by Count desc",
               "size": 1,
               "showAnalytics": true,
-              "title": "Non Standard accounts summary",
+              "title": "Non Standard accounts summary for all servers",
               "showExportToExcel": true,
               "queryType": 0,
               "resourceType": "microsoft.operationalinsights/workspaces",
@@ -1349,7 +1707,7 @@
           {
             "type": 1,
             "content": {
-              "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
+              "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
             },
             "name": "text - 0"
           },
@@ -1365,10 +1723,12 @@
                   "type": 2,
                   "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup",
                   "typeSettings": {
+                    "additionalResourceOptions": [],
                     "showDefault": false
                   },
                   "queryType": 0,
-                  "resourceType": "microsoft.operationalinsights/workspaces"
+                  "resourceType": "microsoft.operationalinsights/workspaces",
+                  "value": null
                 },
                 {
                   "id": "05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd",
@@ -1479,7 +1839,7 @@
           {
             "type": 1,
             "content": {
-              "json": "The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\">Exchange 2013 deployment permissions reference</a>\r\n\r\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.",
+              "json": "The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\">Exchange 2013 deployment permissions reference</a>\r\n\r\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.",
               "style": "info"
             },
             "customWidth": "50",
@@ -1493,7 +1853,7 @@
           {
             "type": 1,
             "content": {
-              "json": "The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\">Exchange 2013 deployment permissions reference</a>\r\n\r\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ",
+              "json": "The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/exchange-2013-deployment-permissions-reference-exchange-2013-help\" target=\"_blank\">Exchange 2013 deployment permissions reference</a>\r\n\r\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ",
               "style": "info"
             },
             "customWidth": "50",
@@ -1591,7 +1951,6 @@
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)",
               "items": [
                 {
                   "type": 3,
@@ -1620,7 +1979,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n//| extend Name = strcat (\"⛔\",tostring(CmdletResultValue.Name))\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ",
+                    "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ",
                     "size": 1,
                     "showAnalytics": true,
                     "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)",
@@ -1650,7 +2009,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "ℹ️ Recommendations\r\n\r\n- Groups from old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\" target=\"_blank\">Help for Built-in role groups</a>",
+                    "json": "ℹ️ Recommendations\r\n\r\n- Groups from the old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\" target=\"_blank\">Help for Built-in role groups</a>",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -1665,6 +2024,7 @@
                   "content": {
                     "version": "NotebookGroup/1.0",
                     "groupType": "editable",
+                    "title": "If still exist, this section showed a summary of the content of old groups",
                     "items": [
                       {
                         "type": 3,
@@ -1705,10 +2065,16 @@
                   "content": {
                     "version": "NotebookGroup/1.0",
                     "groupType": "editable",
-                    "title": "Expand details on the content of old groups",
+                    "title": "Expand this section to details on the content of the old groups",
                     "expandable": true,
-                    "expanded": false,
                     "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "Please select a group"
+                        },
+                        "name": "text - 5"
+                      },
                       {
                         "type": 9,
                         "content": {
@@ -1724,7 +2090,8 @@
                                 "showDefault": false
                               },
                               "queryType": 0,
-                              "resourceType": "microsoft.operationalinsights/workspaces"
+                              "resourceType": "microsoft.operationalinsights/workspaces",
+                              "value": null
                             },
                             {
                               "id": "a695df39-1965-479a-ad0f-b4d3d168aaed",
@@ -1754,7 +2121,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "Old Exchange groups content  groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
+                          "json": "Old Exchange groups content  groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
                         },
                         "name": "text - 2"
                       },
@@ -1762,9 +2129,10 @@
                         "type": 3,
                         "content": {
                           "version": "KqlItem/1.0",
-                          "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n    | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\")  or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| mv-expand CmdletResultValue.Members\r\n| where CmdletResultValue_Members.objectClass == \"group\"\r\n| project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\") \r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| union OldVGroupEES,OldVGroupEDS\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| where CmdletResultValue.Level != 0\r\n//| extend DN = tostring(CmdletResultValue.DN)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n| extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n",
+                          "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n    | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\")  or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | mv-expand CmdletResultValue.Members\r\n    | where CmdletResultValue_Members.objectClass == \"group\"\r\n    | project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n    | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | union OldVGroupEES,OldVGroupEDS\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n    | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n    | sort by tostring(CmdletResultValue.MemberPath) asc \r\n    | where CmdletResultValue.Level != 0\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n    | extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n",
                           "size": 1,
                           "showAnalytics": true,
+                          "title": "Selected group content",
                           "noDataMessage": "The query returned no results.",
                           "showExportToExcel": true,
                           "queryType": 0,
@@ -1807,6 +2175,44 @@
                         "styleSettings": {
                           "showBorder": true
                         }
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeDataEES=\r\n    (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | mv-expand CmdletResultValue.Members\r\n    | where CmdletResultValue_Members.objectClass == \"group\"\r\n    | project\r\n        Parentgroup,\r\n        MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n        Level = tostring(1),\r\n        ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n        DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n        ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n    | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n        | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n        | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n        | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n        on ObjectGuid); \r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n    | union BeforeDataEES, BeforeDataEDS\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterDataEES=\r\n    (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | mv-expand CmdletResultValue.Members\r\n    | where CmdletResultValue_Members.objectClass == \"group\"\r\n    | project\r\n        Parentgroup,\r\n        MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n        Level = tostring(1),\r\n        ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n        DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n        ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n    | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n        | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n        | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n        | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n        on ObjectGuid); \r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | union AfterDataEES, AfterDataEDS\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"ExGroup\" or Section_s == \"ADGroup\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\", \"Exchange Enterprise Servers\" , \"Exchange Services\")\r\n    //| where CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\"\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    ;\r\nlet AlldataUnique = allDataRange\r\n    | join  kind = innerunique     (allDataRange) on MemberPath   \r\n    | distinct \r\n        TimeGenerated,\r\n        Parentgroup,\r\n        MemberPath,\r\n        Level,\r\n        ObjectClass,\r\n        LastLogon,\r\n        LastPwdSet,\r\n        Enabled\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n  | join kind = leftanti  (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique    (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on MemberPath\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| where MemberPath <> \"Exchange Enterprise Servers\\\\Exchange Domain Servers\"\r\n| project\r\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\r\n",
+                          "size": 3,
+                          "showAnalytics": true,
+                          "title": "Compare of the contents of selected old group",
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces",
+                          "gridSettings": {
+                            "rowLimit": 10000,
+                            "filter": true,
+                            "sortBy": [
+                              {
+                                "itemKey": "MemberPath",
+                                "sortOrder": 1
+                              }
+                            ]
+                          },
+                          "sortBy": [
+                            {
+                              "itemKey": "MemberPath",
+                              "sortOrder": 1
+                            }
+                          ]
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Compare_Collect",
+                          "comparison": "isEqualTo",
+                          "value": "True"
+                        },
+                        "name": "ExchangeServersGroupsGrid - Compare",
+                        "styleSettings": {
+                          "showBorder": true
+                        }
                       }
                     ]
                   },
@@ -1826,7 +2232,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required pernissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n  - Organization Management\r\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n  - Discovery Management\r\n  - Server Management\r\n  - Hygiene Management\r\n  - Exchange Servers\r\n  - Exchange Trusted Subsystem  \r\n  - Exchange Windows Permissions\r\n  - xxx High privilege group (not an exhaustive list)\r\n  - All RBAC groups that have high roles delegation\r\n  - All nested groups in high privileges groups\r\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\" target=\"_blank\">Help for Built-in role groups</a>",
+                    "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required permissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n  - Organization Management\r\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n  - Discovery Management\r\n  - Server Management\r\n  - Hygiene Management\r\n  - Exchange Servers\r\n  - Exchange Trusted Subsystem  \r\n  - Exchange Windows Permissions\r\n  - xxx High privilege group (not an exhaustive list)\r\n  - All RBAC groups that have high roles delegation\r\n  - All nested groups in high privileges groups\r\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/built-in-role-groups-exchange-2013-help\" target=\"_blank\">Help for Built-in role groups</a>",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -1917,6 +2323,13 @@
                   },
                   "name": "ExchangeGroupsList"
                 },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "Please select a group"
+                  },
+                  "name": "text - 5 - Copy"
+                },
                 {
                   "type": 9,
                   "content": {
@@ -1934,7 +2347,8 @@
                         "showExportToExcel": true,
                         "showAnalytics": true,
                         "queryType": 0,
-                        "resourceType": "microsoft.operationalinsights/workspaces"
+                        "resourceType": "microsoft.operationalinsights/workspaces",
+                        "value": null
                       },
                       {
                         "id": "f3b935d7-b78f-41d2-94bc-f8c878a13260",
@@ -1973,7 +2387,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
+                    "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
                   },
                   "name": "text - 2"
                 },
@@ -1981,7 +2395,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup",
                     "size": 3,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -2008,6 +2422,51 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"ExGroup\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    ;\r\nlet AlldataUnique = allDataRange\r\n    | join  kind = innerunique     (allDataRange) on MemberPath   \r\n    | distinct \r\n        TimeGenerated,\r\n        Parentgroup,\r\n        MemberPath,\r\n        Level,\r\n        ObjectClass,\r\n        LastLogon,\r\n        LastPwdSet,\r\n        Enabled\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n  | join kind = leftanti  (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique    (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project         \r\n        TimeGenerated,\r\n        Parentgroup,\r\n        Actiontype,\r\n        MemberPath,\r\n        Level,\r\n        ObjectClass,\r\n        LastLogon,\r\n        LastPwdSet,\r\n        Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on MemberPath\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Add/Remove information in selected group",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "rowLimit": 10000,
+                      "filter": true,
+                      "sortBy": [
+                        {
+                          "itemKey": "MemberPath",
+                          "sortOrder": 1
+                        }
+                      ]
+                    },
+                    "sortBy": [
+                      {
+                        "itemKey": "MemberPath",
+                        "sortOrder": 1
+                      }
+                    ]
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "ExchangeServersGroupsGrid - Copy",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)"
+                  },
+                  "name": "text - 7"
                 }
               ]
             },
@@ -2020,6 +2479,13 @@
               "groupType": "editable",
               "title": "AD Group",
               "items": [
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "Please select a group"
+                  },
+                  "name": "text - 5 - Copy"
+                },
                 {
                   "type": 1,
                   "content": {
@@ -2043,17 +2509,14 @@
                         "version": "KqlParameterItem/1.0",
                         "name": "Group",
                         "type": 2,
-                        "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n",
+                        "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where tostring(CmdletResultValue.Parentgroup) != \"Exchange Enterprise Servers\" and tostring(CmdletResultValue.Parentgroup) <> \"Exchange Services\"\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n",
                         "typeSettings": {
+                          "additionalResourceOptions": [],
                           "showDefault": false
                         },
-                        "showExportToExcel": true,
-                        "showAnalytics": true,
                         "queryType": 0,
                         "resourceType": "microsoft.operationalinsights/workspaces",
-                        "gridSettings": {
-                          "rowLimit": 10000
-                        }
+                        "value": null
                       },
                       {
                         "id": "9d02cad2-f4c5-418d-976f-b88b56f80cb5",
@@ -2089,7 +2552,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
+                    "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days"
                   },
                   "name": "text - 0"
                 },
@@ -2097,7 +2560,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) >  ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup",
                     "size": 3,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -2122,6 +2585,51 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"ADGroup\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    ;\r\nlet AlldataUnique = allDataRange\r\n    | join  kind = innerunique     (allDataRange) on MemberPath   \r\n    | distinct \r\n        TimeGenerated,\r\n        Parentgroup,\r\n        MemberPath,\r\n        Level,\r\n        ObjectClass,\r\n        LastLogon,\r\n        LastPwdSet,\r\n        Enabled\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n    | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n    | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n    | extend Level = tostring(CmdletResultValue.Level)\r\n    | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n    | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n    | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n    | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n    | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend DN = tostring(CmdletResultValue.DN)\r\n    | sort by MemberPath asc\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n  | join kind = leftanti  (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique    (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti    (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project         \r\n        TimeGenerated,\r\n        Parentgroup,\r\n        Actiontype,\r\n        MemberPath,\r\n        Level,\r\n        ObjectClass,\r\n        LastLogon,\r\n        LastPwdSet,\r\n        Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on MemberPath\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n    Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "noDataMessage": "Add/Remove information in selected group",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "rowLimit": 10000,
+                      "filter": true,
+                      "sortBy": [
+                        {
+                          "itemKey": "MemberPath",
+                          "sortOrder": 1
+                        }
+                      ]
+                    },
+                    "sortBy": [
+                      {
+                        "itemKey": "MemberPath",
+                        "sortOrder": 1
+                      }
+                    ]
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "ExchangeServersGroupsGrid - Compare",
+                  "styleSettings": {
+                    "showBorder": true
+                  }
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)"
+                  },
+                  "name": "text - 6"
                 }
               ]
             },
@@ -2146,7 +2654,7 @@
           {
             "type": 1,
             "content": {
-              "json": "This tab displays differents security configuration for transport components."
+              "json": "This tab displays different security configurations for transport components."
             },
             "name": "text - 10"
           },
@@ -2155,7 +2663,7 @@
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Receive Connectors",
+              "title": "Receive Connectors with",
               "items": [
                 {
                   "type": 3,
@@ -2256,7 +2764,8 @@
                           "durationMs": 86400000
                         },
                         "queryType": 0,
-                        "resourceType": "microsoft.operationalinsights/workspaces"
+                        "resourceType": "microsoft.operationalinsights/workspaces",
+                        "value": null
                       },
                       {
                         "id": "14912e83-60a1-4a21-a34b-500d4662a666",
@@ -2282,7 +2791,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions"
+                    "json": "The toggle button  helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions"
                   },
                   "name": "text - 3"
                 },
@@ -2290,7 +2799,7 @@
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter  ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort  by Server asc",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter  ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort  by Server asc",
                     "size": 1,
                     "showAnalytics": true,
                     "showExportToExcel": true,
@@ -2317,6 +2826,28 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project Identity,CmdletResultValue\r\n    | extend Identity = tostring(Identity)\r\n    | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Server\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Server\r\n    | extend Actiontype =\"Remove\"\r\n    | distinct \r\n        Actiontype,\r\n        Identity,\r\n        Server\r\n    | project         \r\n        Actiontype,\r\n        Identity,\r\n        Server\r\n;\r\nunion DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), \"N/A\")\r\n| project\r\n    Actiontype,\r\n    Permission = \"ms-Exch-SMTP-Accept-Any-Recipient\",\r\n    Identity,\r\n    Server\r\n| order by Server\r\n\r\n",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "filter": true
+                    }
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 4"
                 }
               ]
             },
@@ -2357,7 +2888,8 @@
                           "showDefault": false
                         },
                         "queryType": 0,
-                        "resourceType": "microsoft.operationalinsights/workspaces"
+                        "resourceType": "microsoft.operationalinsights/workspaces",
+                        "value": null
                       },
                       {
                         "id": "4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a",
@@ -2378,7 +2910,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions"
+                    "json": "The toggle button helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions"
                   },
                   "name": "text - 3"
                 },
@@ -2414,6 +2946,28 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n    | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\"\r\n    | project CmdletResultValue,WhenChanged,WhenCreated\r\n    | extend Server = tostring(CmdletResultValue.Server.Name)\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n    | extend RemoteIP= RemoteIPall.Expression\r\n    | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n    | extend Identity = strcat(Server,'\\\\',Name)\r\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n    | sort by Server asc\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n    | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n    | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n    | project CmdletResultValue, WhenChanged,WhenCreated\r\n    | extend Server = tostring(CmdletResultValue.Server.Name)\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n    | extend RemoteIP= RemoteIPall.Expression\r\n    | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n    | extend Identity = strcat(Server,'\\\\',Name)\r\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n    | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Identity\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Server\r\n    | extend Actiontype =\"Remove\"\r\n    | extend Binding = tostring(Bindings)\r\n    | extend RIR = tostring(RemoteIPRange)\r\n    | distinct\r\n        WhenChanged,\r\n        Actiontype,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        Bindings = Binding,\r\n        RemoteIPRange = RIR,\r\n        WhenCreated        \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by WhenChanged asc \r\n    | sort by Server, Name asc\r\n    | extend Identity = strcat(Server,\"\\\\\",Name)\r\n    | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n    | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n    | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n    | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n    | extend AuthMechanism  = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n    | extend Bindings  = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n    | extend RemoteIPRange  = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n    | extend ActiontypeR =iff(( Name  contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        tostring=(Bindings),\r\n        tostring(RemoteIPRange),\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n        Actiontype,\r\n        WhenChanged,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        Bindings = Bindings_string,\r\n        RemoteIPRange = RemoteIPRange_string,\r\n        WhenCreated",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "gridSettings": {
+                      "filter": true
+                    }
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 4 - Copy"
                 }
               ]
             },
@@ -2454,7 +3008,8 @@
                           "showDefault": false
                         },
                         "queryType": 0,
-                        "resourceType": "microsoft.operationalinsights/workspaces"
+                        "resourceType": "microsoft.operationalinsights/workspaces",
+                        "value": null
                       },
                       {
                         "id": "bcb24a01-9242-4fec-b30a-02b0583cbc87",
@@ -2477,7 +3032,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions"
+                    "json": "The toggle button helps you to sort by:\r\n- Server\r\n- Receive connectors with/without no IP restrictions"
                   },
                   "name": "text - 3 - Copy"
                 },
@@ -2513,6 +3068,25 @@
                   "styleSettings": {
                     "showBorder": true
                   }
+                },
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n    | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n    | project CmdletResultValue,WhenChanged,WhenCreated\r\n    | extend Server = tostring(CmdletResultValue.Server.Name)\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n    | extend RemoteIP= RemoteIPall.Expression\r\n    | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n    | extend Identity = strcat(Server,'\\\\',Name)\r\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n    | sort by Server asc\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n    | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n    | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n    | project CmdletResultValue, WhenChanged,WhenCreated\r\n    | extend Server = tostring(CmdletResultValue.Server.Name)\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n    | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n    | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n    | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n    | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n    | extend RemoteIP= RemoteIPall.Expression\r\n    | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n    | extend Identity = strcat(Server,'\\\\',Name)\r\n    | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n    | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Identity\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Identity\r\n    | extend Actiontype =\"Remove\"\r\n    | extend Binding = tostring(Bindings)\r\n    | extend RIR = tostring(RemoteIPRange)\r\n    | distinct\r\n        WhenChanged,\r\n        Actiontype,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        Bindings = Binding,\r\n        RemoteIPRange = RIR,\r\n        WhenCreated        \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by WhenChanged asc \r\n    | sort by Server, Name asc\r\n    | extend Identity = strcat(Server,\"\\\\\",Name)\r\n    | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n    | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n    | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n    | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n    | extend AuthMechanism  = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n    | extend Bindings  = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n    | extend RemoteIPRange  = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n    | extend ActiontypeR =iff(( Name  contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        Bindings,\r\n        RemoteIPRange,\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n        Actiontype,\r\n        WhenChanged,\r\n        Server,\r\n        Name,\r\n        TransportRole,\r\n        Enabled,\r\n        PermissionGroups,\r\n        AuthMechanism,\r\n        Bindings = Bindings_string,\r\n        RemoteIPRange = RemoteIPRange_string,\r\n        WhenCreated",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
+                  },
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 4 - Copy - Copy"
                 }
               ]
             },
@@ -2528,7 +3102,7 @@
                 {
                   "type": 1,
                   "content": {
-                    "json": "A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules?view=exchserver-2019\" target=\"_blank\">Mail flow rules in Exchange Serve</a>\r\n",
+                    "json": "A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules?view=exchserver-2019\" target=\"_blank\">Mail flow rules in Exchange Server</a>\r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -2557,103 +3131,47 @@
                   "styleSettings": {
                     "showBorder": true
                   }
-                }
-              ]
-            },
-            "name": "Transport Rules actions to monitor"
-          },
-          {
-            "type": 1,
-            "content": {
-              "json": "### Journal Mailboxes"
-            },
-            "name": "JournalMailboxHelp"
-          },
-          {
-            "type": 1,
-            "content": {
-              "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\" target=\"_blank\">Journaling in Exchange Server</a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\" target=\"_blank\">Journaling procedures</a>\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\" target=\"_blank\">Mailbox audit logging in Exchange Server</a>\r\n\r\n\r\n",
-              "style": "info"
-            },
-            "conditionalVisibility": {
-              "parameterName": "Help",
-              "comparison": "isEqualTo",
-              "value": "Yes"
-            },
-            "name": "JournalHelp"
-          },
-          {
-            "type": 3,
-            "content": {
-              "version": "KqlItem/1.0",
-              "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"Enabled\" or tostring(CmdletResultValue.Enabled)== \"1\" , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient)\r\n| sort  by Identity asc\r\n| sort  by Status desc\r\n| project-away CmdletResultValue\r\n",
-              "size": 1,
-              "showAnalytics": true,
-              "title": "Journal Rules configured in your environment",
-              "showExportToExcel": true,
-              "queryType": 0,
-              "resourceType": "microsoft.operationalinsights/workspaces",
-              "gridSettings": {
-                "rowLimit": 10000,
-                "filter": true
-              }
-            },
-            "name": "JournalQuery",
-            "styleSettings": {
-              "showBorder": true
-            }
-          },
-          {
-            "type": 12,
-            "content": {
-              "version": "NotebookGroup/1.0",
-              "groupType": "editable",
-              "title": "Journal Recipients on mailbox databases configured in your environment",
-              "items": [
-                {
-                  "type": 1,
-                  "content": {
-                    "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\" target=\"_blank\">Journaling in Exchange Server</a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\" target=\"_blank\">Journaling procedures</a>\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\" target=\"_blank\">Mailbox audit logging in Exchange Server</a>\r\n",
-                    "style": "info"
-                  },
-                  "conditionalVisibility": {
-                    "parameterName": "Help",
-                    "comparison": "isEqualTo",
-                    "value": "Yes"
-                  },
-                  "name": "JournalRecipientsHelp"
                 },
                 {
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\r\n| project-away CmdletResultValue\r\n| sort  by Identity asc\r\n",
-                    "size": 1,
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort  by Identity asc\r\n| sort  by Status desc\r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue, TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort  by Identity asc\r\n| sort  by Status desc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Identity\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Identity\r\n    | extend Actiontype =\"Remove\"\r\n    | distinct\r\n        TimeGenerated,\r\n        Actiontype,\r\n        Identity,\r\n        Status,\r\n        SentTo,\r\n        BlindCopyTo,\r\n        CopyTo,\r\n        RedirectMessageTo,\r\n        Mode\r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by Identity, TimeGenerated asc\r\n    | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\"📍 \", Status, \" (\", iff(prev(Status)==\"\",\"Null\",prev(Status)), \"->\", Status, \" )\"), Status)\r\n    | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\"📍 \", SentTo, \" (\", iff(prev(SentTo)==\"\",\"Null\",prev(SentTo)), \"->\", SentTo, \" )\"), SentTo)\r\n    | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\"📍 \", BlindCopyTo, \" (\", iff(prev(BlindCopyTo)==\"\",\"Null\",prev(BlindCopyTo)), \"->\", BlindCopyTo, \" )\"), BlindCopyTo)\r\n    | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\"📍 \", CopyTo, \" (\", iff(prev(CopyTo)==\"\",\"Null\",prev(CopyTo)), \"->\", CopyTo, \" )\"), CopyTo)\r\n    | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\"📍 \", RedirectMessageTo, \" (\", iff(prev(RedirectMessageTo)==\"\",\"Null\",prev(RedirectMessageTo)), \"->\", RedirectMessageTo, \" )\"), RedirectMessageTo)\r\n    | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\"📍 \", Mode, \" (\", iff(prev(Mode)==\"\",\"Null\",prev(Mode)), \"->\", Mode, \" )\"), Mode)\r\n    | extend ActiontypeR =iff(( Identity  contains \"📍\" or Status contains \"📍\" or SentTo contains \"📍\" or BlindCopyTo contains \"📍\" or CopyTo contains \"📍\" or RedirectMessageTo contains \"📍\" or Mode contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        TimeGenerated,\r\n        Actiontype,\r\n        Identity,\r\n        Status,\r\n        SentTo,\r\n        BlindCopyTo,\r\n        CopyTo,\r\n        RedirectMessageTo,\r\n        Mode\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by TimeGenerated desc \r\n| project\r\n        TimeGenerated,\r\n        Actiontype,\r\n        Identity,\r\n        Status,\r\n        SentTo,\r\n        BlindCopyTo,\r\n        CopyTo,\r\n        RedirectMessageTo,\r\n        Mode",
+                    "size": 3,
                     "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
                     "showExportToExcel": true,
                     "queryType": 0,
                     "resourceType": "microsoft.operationalinsights/workspaces"
                   },
-                  "name": "query - 1",
-                  "styleSettings": {
-                    "showBorder": true
-                  }
+                  "conditionalVisibility": {
+                    "parameterName": "Compare_Collect",
+                    "comparison": "isEqualTo",
+                    "value": "True"
+                  },
+                  "name": "query - 4 - Copy - Copy - Copy - Copy"
                 }
               ]
             },
-            "name": "JournalRecipientsGroup"
+            "name": "Transport Rules actions to monitor"
           },
           {
             "type": 12,
             "content": {
               "version": "NotebookGroup/1.0",
               "groupType": "editable",
-              "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled",
               "items": [
                 {
                   "type": 1,
                   "content": {
-                    "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/remote-domains-exchange-2013-help\" target=\"_blank\">Remote Domains</a>\r\n",
+                    "json": "### Journal Mailboxes"
+                  },
+                  "name": "JournalMailboxHelp"
+                },
+                {
+                  "type": 1,
+                  "content": {
+                    "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\" target=\"_blank\">Journaling in Exchange Server</a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\" target=\"_blank\">Journaling procedures</a>\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\" target=\"_blank\">Mailbox audit logging in Exchange Server</a>\r\n\r\n\r\n",
                     "style": "info"
                   },
                   "conditionalVisibility": {
@@ -2661,15 +3179,16 @@
                     "comparison": "isEqualTo",
                     "value": "Yes"
                   },
-                  "name": "AutoForwardHelp"
+                  "name": "JournalHelp"
                 },
                 {
                   "type": 3,
                   "content": {
                     "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name =  tostring(CmdletResultValue.Name)\r\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort  by Address asc ",
+                    "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"true\"  , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n| sort  by Name asc\r\n| sort  by Status desc\r\n| project-away CmdletResultValue\r\n",
                     "size": 1,
                     "showAnalytics": true,
+                    "title": "Journal Rules configured in your environment",
                     "showExportToExcel": true,
                     "queryType": 0,
                     "resourceType": "microsoft.operationalinsights/workspaces",
@@ -2678,50 +3197,224 @@
                       "filter": true
                     }
                   },
-                  "name": "query - 1",
+                  "name": "JournalQuery",
                   "styleSettings": {
                     "showBorder": true
                   }
                 },
                 {
-                  "type": 1,
+                  "type": 3,
                   "content": {
-                    "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019\" target=\"_blank\">Accepted domains</a>\r\n",
-                    "style": "info"
+                    "version": "KqlItem/1.0",
+                    "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n    ESIExchangeConfig_CL\r\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n    | where ESIEnvironment_s == _EnvList\r\n    | where Section_s == \"JournalRule\"\r\n    | extend CmdletResultValue = parse_json(rawData_s)\r\n    | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n    | project CmdletResultValue, TimeGenerated\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Name asc\r\n    | sort by Status desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n    | join kind = innerunique     (allDataRange) on Allinfo   \r\n    | distinct \r\n        TimeGenerated,\r\n        Name,\r\n        Status,\r\n        JournalEmailAddress,\r\n        Recipient,\r\n        Allinfo\r\n;\r\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Name asc\r\n    | sort by Status desc\r\n    ;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n      | project CmdletResultValue\r\n    | extend Name = tostring(CmdletResultValue.Name)\r\n    | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n    //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n    | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n    | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n    | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n    | extend CmdletResultV = tostring(CmdletResultValue)\r\n    | sort by Name asc\r\n    | sort by Status desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n    | join kind = leftanti  (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n    | join kind = innerunique    (BeforeData) on Allinfo\r\n    | extend Actiontype = iff (Name != \"\", \"Remove\", \"\")\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n    | join kind = leftanti    (InBeforedatabotAfter) on Allinfo\r\n    | extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Allinfo\r\n    | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| where Name <> \"\"\r\n| project\r\n    Actiontype,\r\n    Name,\r\n    Status,\r\n    JournalEmailAddress,\r\n    Recipient",
+                    "size": 3,
+                    "showAnalytics": true,
+                    "title": "Display changes ( Add, Remove, modifications of parameters )",
+                    "showExportToExcel": true,
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces"
                   },
                   "conditionalVisibility": {
-                    "parameterName": "Help",
+                    "parameterName": "Compare_Collect",
                     "comparison": "isEqualTo",
-                    "value": "Yes"
+                    "value": "True"
                   },
-                  "name": "text - 3"
+                  "name": "query - 4 - Copy - Copy - Copy - Copy - Copy"
                 },
                 {
-                  "type": 3,
+                  "type": 12,
                   "content": {
-                    "version": "KqlItem/1.0",
-                    "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name =  tostring(CmdletResultValue.Name)\r\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address =  \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType =  case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue",
-                    "size": 1,
-                    "showAnalytics": true,
-                    "title": "Accepted domain with *",
-                    "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)",
-                    "noDataMessageStyle": 3,
-                    "showExportToExcel": true,
-                    "queryType": 0,
-                    "resourceType": "microsoft.operationalinsights/workspaces",
-                    "gridSettings": {
-                      "rowLimit": 10000,
-                      "filter": true
-                    }
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "title": "Journal Recipients on mailbox databases configured in your environment",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling?view=exchserver-2019\" target=\"_blank\">Journaling in Exchange Server</a>\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/journaling/journaling-procedures?view=exchserver-2019\" target=\"_blank\">Journaling procedures</a>\r\n\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019\" target=\"_blank\">Mailbox audit logging in Exchange Server</a>\r\n",
+                          "style": "info"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Help",
+                          "comparison": "isEqualTo",
+                          "value": "Yes"
+                        },
+                        "name": "JournalRecipientsHelp"
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort  by Identity asc\r\n",
+                          "size": 1,
+                          "showAnalytics": true,
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces",
+                          "gridSettings": {
+                            "sortBy": [
+                              {
+                                "itemKey": "JournalRecipient",
+                                "sortOrder": 1
+                              }
+                            ]
+                          },
+                          "sortBy": [
+                            {
+                              "itemKey": "JournalRecipient",
+                              "sortOrder": 1
+                            }
+                          ]
+                        },
+                        "name": "query - 1",
+                        "styleSettings": {
+                          "showBorder": true
+                        }
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Identity =  tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient =  tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort  by Identity asc \r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue,WhenChanged,WhenCreated\r\n    | extend Identity =  tostring(CmdletResultValue.Identity.Name)\r\n    | extend JournalRecipient =  tostring(CmdletResultValue.JournalRecipient.Name)\r\n    | project-away CmdletResultValue\r\n    | sort  by Identity asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Identity\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Identity\r\n    | extend Actiontype =\"Remove\"\r\n    | distinct\r\n        WhenChanged,\r\n        Actiontype,\r\n        Identity,\r\n        JournalRecipient,\r\n        WhenCreated        \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by Identity, WhenChanged asc\r\n    | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\"📍 \", JournalRecipient, \" (\", iff(prev(JournalRecipient)==\"\",\"Null\",prev(JournalRecipient)), \"->\", JournalRecipient, \" )\"), JournalRecipient)\r\n    | extend ActiontypeR =iff(( Identity  contains \"📍\" or JournalRecipient contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Identity,\r\n        JournalRecipient,\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Identity,\r\n        JournalRecipient,\r\n        WhenCreated",
+                          "size": 3,
+                          "showAnalytics": true,
+                          "title": "Display changes ( Add, Remove, modifications of parameters )",
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Compare_Collect",
+                          "comparison": "isEqualTo",
+                          "value": "True"
+                        },
+                        "name": "query - 4 - Copy - Copy - Copy - Copy - Copy"
+                      }
+                    ]
                   },
-                  "name": "query - 4",
-                  "styleSettings": {
-                    "showBorder": true
-                  }
+                  "name": "JournalRecipientsGroup"
+                },
+                {
+                  "type": 12,
+                  "content": {
+                    "version": "NotebookGroup/1.0",
+                    "groupType": "editable",
+                    "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled",
+                    "items": [
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/remote-domains-exchange-2013-help\" target=\"_blank\">Remote Domains</a>\r\n",
+                          "style": "info"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Help",
+                          "comparison": "isEqualTo",
+                          "value": "Yes"
+                        },
+                        "name": "AutoForwardHelp"
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name =  tostring(CmdletResultValue.Name)\r\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort  by Address asc ",
+                          "size": 1,
+                          "showAnalytics": true,
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces",
+                          "gridSettings": {
+                            "rowLimit": 10000,
+                            "filter": true
+                          }
+                        },
+                        "name": "query - 1",
+                        "styleSettings": {
+                          "showBorder": true
+                        }
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Name =  tostring(CmdletResultValue.Name)\r\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort  by Address asc \r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue,WhenChanged,WhenCreated\r\n    | extend Name =  tostring(CmdletResultValue.Name)\r\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n    | extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n    | project-away CmdletResultValue\r\n    | sort  by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Name\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Name\r\n    | extend Actiontype =\"Remove\"\r\n    | distinct\r\n        WhenChanged,\r\n        Actiontype,\r\n        Name,\r\n        Address,\r\n        AutoForwardEnabled,\r\n        WhenCreated        \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n    | sort by WhenChanged asc \r\n    | sort by Name asc\r\n    //| extend Name = iff(Name != prev(Name) and prev(Name) != \"\" , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n    | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n    | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \"\" and Name == prev(Name), strcat(\"📍 \", AutoForwardEnabled, \" (\", prev(AutoForwardEnabled), \"->\", AutoForwardEnabled, \" )\"), AutoForwardEnabled)\r\n    | extend ActiontypeR =iff(( Name  contains \"📍\" or Address contains \"📍\" or AutoForwardEnabled contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Name,\r\n        Address,\r\n        AutoForwardEnabled,\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Name,\r\n        Address,\r\n        AutoForwardEnabled,\r\n        WhenCreated",
+                          "size": 3,
+                          "showAnalytics": true,
+                          "title": "Display changes ( Add, Remove, modifications of parameters )",
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Compare_Collect",
+                          "comparison": "isEqualTo",
+                          "value": "True"
+                        },
+                        "name": "query - 4 - Copy - Copy - Copy - Copy"
+                      },
+                      {
+                        "type": 1,
+                        "content": {
+                          "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\n<a href=\"https://learn.microsoft.com/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019\" target=\"_blank\">Accepted domains</a>\r\n",
+                          "style": "info"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Help",
+                          "comparison": "isEqualTo",
+                          "value": "Yes"
+                        },
+                        "name": "text - 3"
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name =  tostring(CmdletResultValue.Name)\r\n| extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address =  \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType =  case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue",
+                          "size": 1,
+                          "showAnalytics": true,
+                          "title": "Accepted domain with *",
+                          "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)",
+                          "noDataMessageStyle": 3,
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces",
+                          "gridSettings": {
+                            "rowLimit": 10000,
+                            "filter": true
+                          }
+                        },
+                        "name": "query - 4",
+                        "styleSettings": {
+                          "showBorder": true
+                        }
+                      },
+                      {
+                        "type": 3,
+                        "content": {
+                          "version": "KqlItem/1.0",
+                          "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | summarize TimeMax = arg_max(TimeGenerated, *)\r\n    //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n    | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n    ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue, WhenChanged, WhenCreated\r\n    | extend Name =  tostring(CmdletResultValue.Name)\r\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n    | extend DomainType =  case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n    | project-away CmdletResultValue\r\n    | sort by Address asc \r\n;\r\nlet AfterData = \r\n    ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n    | project CmdletResultValue, WhenChanged, WhenCreated\r\n    | extend Name =  tostring(CmdletResultValue.Name)\r\n    | extend Address =  tostring(CmdletResultValue.DomainName.Address)\r\n    | extend DomainType =  case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n    | project-away CmdletResultValue\r\n    | sort by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n    | join kind = rightanti  (AfterData)\r\n        on Name\r\n    | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n    | join kind = leftanti AfterData on Name\r\n    | extend Actiontype =\"Remove\"\r\n    | distinct\r\n        WhenChanged,\r\n        Actiontype,\r\n        Name,\r\n        Address,\r\n        DomainType,\r\n        WhenCreated        \r\n;\r\nlet DiffModifData = union BeforeData, AfterData\r\n    | sort by WhenChanged asc \r\n    | sort by Name asc\r\n    // | extend Name = iff(Name != prev(Name) and prev(Name) != \"\", strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n    | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n    | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \"\" and Name == prev(Name), strcat(\"📍 \", DomainType, \" (\", prev(DomainType), \"->\", DomainType, \" )\"), DomainType)\r\n    | extend ActiontypeR =iff((Name contains \"📍\" or Address contains \"📍\" or DomainType contains \"📍\"), i=i + 1, i)\r\n    | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n    | where ActiontypeR == 1\r\n    | project\r\n        WhenChanged,\r\n        Actiontype,\r\n        Name,\r\n        Address,\r\n        DomainType,\r\n        WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n    WhenChanged,\r\n    Actiontype,\r\n    Name,\r\n    Address,\r\n    DomainType,\r\n    WhenCreated",
+                          "size": 3,
+                          "showAnalytics": true,
+                          "title": "Display changes ( Add, Remove, modifications of parameters )",
+                          "showExportToExcel": true,
+                          "queryType": 0,
+                          "resourceType": "microsoft.operationalinsights/workspaces"
+                        },
+                        "conditionalVisibility": {
+                          "parameterName": "Compare_Collect",
+                          "comparison": "isEqualTo",
+                          "value": "True"
+                        },
+                        "name": "query - 4 - Copy - Copy - Copy - Copy - Copy"
+                      }
+                    ]
+                  },
+                  "name": "ForwardGroup"
                 }
               ]
             },
-            "name": "ForwardGroup"
+            "name": "Journal Rules"
           }
         ]
       },
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json
index e223a7bcfee..244f91c89db 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json	
@@ -19,7 +19,7 @@
     "dataTypes": [
         {
             "name": "ESIExchangeOnlineConfig_CL",
-            "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time)"
+            "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time) |summarize Time = max(Time) | project Time"
         }
     ],
     "connectivityCriterias": [
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json
index aa5b4d88777..a9d47e17c75 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json	
@@ -9,7 +9,7 @@
         "automationAccounts_ESI_DataCollector_tenantName": {
             "type": "String",
             "metadata": {
-            "description": "Specifies the tenant name (don't put the GUID, only the name) that will be audited (Name of Azure AD Tenant where Automation Account is deployed)."
+            "description": "Specifies the tenant primary domain name (don't put the GUID, only the FQDN Name) that will be audited (Name of Azure AD Tenant where Automation Account is deployed)."
           }
         },
         "automationAccounts_ESI_DataCollector_tenantID": {
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json
index 7b55b9445db..719ed124386 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json	
@@ -9,7 +9,6 @@
   "Parsers": [
 	"Parsers/ExchangeConfiguration.yaml",
 	"Parsers/ExchangeEnvironmentList.yaml",
-  "Parsers/MESCheckVIP.yaml",
   "Parsers/MESCheckOnlineVIP.yaml",
   "Parsers/MESCompareDataMRA.yaml",
   "Parsers/MESOfficeActivityLogs.yaml"
@@ -26,7 +25,7 @@
   ],
   "WatchlistDescription": "ExchOnlineVIP Watchlists contains a list of VIP users identified in Exchange Online that would be more monitored than others. This watchlist is used in the Audit log workbooks to filter activities on those users.",
   "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online",
-  "Version": "3.1.5",
+  "Version": "3.1.6",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip
new file mode 100644
index 00000000000..a364ca4e498
Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip differ
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json
index 0059d5a13e3..86b4bf71ed9 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 6, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -67,7 +67,7 @@
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs six (6) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
+              "text": "The solution installs five (5) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList, MESOfficeActivityLogs and MESCompareDataMRA Kusto Function aliases."
             }
           },
           {
@@ -139,7 +139,7 @@
           {
             "name": "workbook3",
             "type": "Microsoft.Common.Section",
-            "label": "Microsoft Exchange Online Admin Activity",
+            "label": "Microsoft Exchange Admin Activity - Online",
             "elements": [
               {
                 "name": "workbook3-text",
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json
index e06b0e19132..1ead482a520 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json	
@@ -46,7 +46,7 @@
     },
     "workbook3-name": {
       "type": "string",
-      "defaultValue": "Microsoft Exchange Online Admin Activity",
+      "defaultValue": "Microsoft Exchange Admin Activity - Online",
       "minLength": 1,
       "metadata": {
         "description": "Name for the workbook"
@@ -70,12 +70,12 @@
     }
   },
   "variables": {
-    "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Microsoft Exchange Security - Exchange Online",
-    "_solutionVersion": "3.1.5",
+    "_solutionVersion": "3.1.6",
+    "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline",
+    "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "ESI-ExchangeOnlineCollector",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "ESI-ExchangeOnlineCollector",
@@ -100,32 +100,25 @@
       "parserContentId2": "ExchangeEnvironmentList-Parser"
     },
     "parserObject3": {
-      "_parserName3": "[concat(parameters('workspace'),'/','MESCheckVIP Data Parser')]",
-      "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
-      "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckVIP-Parser')))]",
+      "_parserName3": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]",
+      "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+      "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]",
       "parserVersion3": "1.0.0",
-      "parserContentId3": "MESCheckVIP-Parser"
+      "parserContentId3": "MESCheckOnlineVIP-Parser"
     },
     "parserObject4": {
-      "_parserName4": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]",
-      "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
-      "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]",
-      "parserVersion4": "1.0.0",
-      "parserContentId4": "MESCheckOnlineVIP-Parser"
+      "_parserName4": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]",
+      "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
+      "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]",
+      "parserVersion4": "1.1.0",
+      "parserContentId4": "MESCompareDataMRA-Parser"
     },
     "parserObject5": {
-      "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]",
-      "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
-      "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]",
+      "_parserName5": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]",
+      "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
+      "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]",
       "parserVersion5": "1.0.0",
-      "parserContentId5": "MESCompareDataMRA-Parser"
-    },
-    "parserObject6": {
-      "_parserName6": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]",
-      "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
-      "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]",
-      "parserVersion6": "1.0.0",
-      "parserContentId6": "MESOfficeActivityLogs-Parser"
+      "parserContentId5": "MESOfficeActivityLogs-Parser"
     },
     "workbookVersion1": "1.1.0",
     "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
@@ -140,7 +133,7 @@
     "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
     "_workbookContentId2": "[variables('workbookContentId2')]",
     "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
-    "workbookVersion3": "1.0.0",
+    "workbookVersion3": "1.0.1",
     "workbookContentId3": "MicrosoftExchangeAdminActivity-Online",
     "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]",
     "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
@@ -166,7 +159,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.5",
+        "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -201,7 +194,7 @@
                   "dataTypes": [
                     {
                       "name": "ESIExchangeOnlineConfig_CL",
-                      "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time)"
+                      "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time) |summarize Time = max(Time) | project Time"
                     }
                   ],
                   "connectivityCriterias": [
@@ -518,7 +511,7 @@
           "dataTypes": [
             {
               "name": "ESIExchangeOnlineConfig_CL",
-              "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time)"
+              "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s  | where isnotempty(Time) |summarize Time = max(Time) | project Time"
             }
           ],
           "connectivityCriterias": [
@@ -744,7 +737,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeConfiguration Data Parser with template version 3.1.5",
+        "description": "ExchangeConfiguration Data Parser with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -874,7 +867,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5",
+        "description": "ExchangeEnvironmentList Data Parser with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -1004,7 +997,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MESCheckVIP Data Parser with template version 3.1.5",
+        "description": "MESCheckOnlineVIP Data Parser with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -1018,10 +1011,10 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Parser for VIP Check for Exchange",
+                "displayName": "Parser for VIP Check for Exchange Online",
                 "category": "Microsoft Sentinel Parser",
-                "functionAlias": "MESCheckVIP",
-                "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n    \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n    or _UserToCheck =~ displayName \n    or _UserToCheck =~ userPrincipalName \n    or _UserToCheck =~ sAMAccountName \n    or _UserToCheck =~ objectSID \n    or _UserToCheck == tostring(objectGUID) \n    or _UserToCheck =~ distinguishedName\n    or _UserToCheck == \"All\"\n    | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n",
+                "functionAlias": "MESCheckOnlineVIP",
+                "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n      \"NONE\",\"NONE\",\"NONE\"];\n  let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n  or _UserToCheck =~ userPrincipalName \n  or _UserToCheck =~ sAMAccountName \n  or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
                 "functionParameters": "UserToCheck:string='All'",
                 "version": 2,
                 "tags": [
@@ -1040,7 +1033,7 @@
                 "[variables('parserObject3')._parserId3]"
               ],
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
                 "contentId": "[variables('parserObject3').parserContentId3]",
                 "kind": "Parser",
                 "version": "[variables('parserObject3').parserVersion3]",
@@ -1069,7 +1062,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('parserObject3').parserContentId3]",
         "contentKind": "Parser",
-        "displayName": "Parser for VIP Check for Exchange",
+        "displayName": "Parser for VIP Check for Exchange Online",
         "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
         "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
         "version": "[variables('parserObject3').parserVersion3]"
@@ -1082,10 +1075,10 @@
       "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
-        "displayName": "Parser for VIP Check for Exchange",
+        "displayName": "Parser for VIP Check for Exchange Online",
         "category": "Microsoft Sentinel Parser",
-        "functionAlias": "MESCheckVIP",
-        "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n    \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n    or _UserToCheck =~ displayName \n    or _UserToCheck =~ userPrincipalName \n    or _UserToCheck =~ sAMAccountName \n    or _UserToCheck =~ objectSID \n    or _UserToCheck == tostring(objectGUID) \n    or _UserToCheck =~ distinguishedName\n    or _UserToCheck == \"All\"\n    | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n",
+        "functionAlias": "MESCheckOnlineVIP",
+        "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n      \"NONE\",\"NONE\",\"NONE\"];\n  let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n  or _UserToCheck =~ userPrincipalName \n  or _UserToCheck =~ sAMAccountName \n  or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
         "functionParameters": "UserToCheck:string='All'",
         "version": 2,
         "tags": [
@@ -1105,7 +1098,7 @@
         "[variables('parserObject3')._parserId3]"
       ],
       "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
         "contentId": "[variables('parserObject3').parserContentId3]",
         "kind": "Parser",
         "version": "[variables('parserObject3').parserVersion3]",
@@ -1134,7 +1127,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MESCheckOnlineVIP Data Parser with template version 3.1.5",
+        "description": "MESCompareDataMRA Data Parser with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -1148,11 +1141,11 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Parser for VIP Check for Exchange Online",
+                "displayName": "Parser for MRA Configuration Data Comparison",
                 "category": "Microsoft Sentinel Parser",
-                "functionAlias": "MESCheckOnlineVIP",
-                "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n      \"NONE\",\"NONE\",\"NONE\"];\n  let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n  or _UserToCheck =~ userPrincipalName \n  or _UserToCheck =~ sAMAccountName \n  or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
-                "functionParameters": "UserToCheck:string='All'",
+                "functionAlias": "MESCompareDataMRA",
+                "query": "// Version:         1.1.0\n// Last Updated:    30/08/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n    | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n    | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeOnlineConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope,\n    RecipientWriteScope,\n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
+                "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
                 "version": 2,
                 "tags": [
                   {
@@ -1170,7 +1163,7 @@
                 "[variables('parserObject4')._parserId4]"
               ],
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
                 "contentId": "[variables('parserObject4').parserContentId4]",
                 "kind": "Parser",
                 "version": "[variables('parserObject4').parserVersion4]",
@@ -1199,9 +1192,9 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('parserObject4').parserContentId4]",
         "contentKind": "Parser",
-        "displayName": "Parser for VIP Check for Exchange Online",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
+        "displayName": "Parser for MRA Configuration Data Comparison",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]",
         "version": "[variables('parserObject4').parserVersion4]"
       }
     },
@@ -1212,11 +1205,11 @@
       "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
-        "displayName": "Parser for VIP Check for Exchange Online",
+        "displayName": "Parser for MRA Configuration Data Comparison",
         "category": "Microsoft Sentinel Parser",
-        "functionAlias": "MESCheckOnlineVIP",
-        "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n      \"NONE\",\"NONE\",\"NONE\"];\n  let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n  or _UserToCheck =~ userPrincipalName \n  or _UserToCheck =~ sAMAccountName \n  or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
-        "functionParameters": "UserToCheck:string='All'",
+        "functionAlias": "MESCompareDataMRA",
+        "query": "// Version:         1.1.0\n// Last Updated:    30/08/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n    | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n    | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeOnlineConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope,\n    RecipientWriteScope,\n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
+        "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
         "version": 2,
         "tags": [
           {
@@ -1235,7 +1228,7 @@
         "[variables('parserObject4')._parserId4]"
       ],
       "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
         "contentId": "[variables('parserObject4').parserContentId4]",
         "kind": "Parser",
         "version": "[variables('parserObject4').parserVersion4]",
@@ -1264,7 +1257,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MESCompareDataMRA Data Parser with template version 3.1.5",
+        "description": "MESOfficeActivityLogs Data Parser with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -1278,11 +1271,11 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Parser for MRA Configuration Data Comparison",
+                "displayName": "Parser for Office Activity Logs",
                 "category": "Microsoft Sentinel Parser",
-                "functionAlias": "MESCompareDataMRA",
-                "query": "// Version:         1.0.0\n// Last Updated:    25/02/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeOnlineConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope,\n    RecipientWriteScope,\n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
-                "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+                "functionAlias": "MESOfficeActivityLogs",
+                "query": "// Version:         1.0.0\n// Last Updated:    25/02/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n    let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n        \"NONE\",\"NONE\",\"NONE\"];\n    let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\n    let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n    let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n    let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n    union isfuzzy=true withsource=TableName \n        SearchUserDisplayName,\n        SearchUserSAMAccountName, \n        SearchUserUPN\n    };\nlet EventList = OfficeActivity\n    | where RecordType == \"ExchangeAdmin\"\n    | where UserType <> \"DcAdmin\" and  UserKey !contains \"NT AUTHORITY\"\n    | extend CmdletName = Operation\n    | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n    // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n    | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n    | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n    | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n    | extend TargetObject = replace_string(TargetObject,',','')\n    | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n    | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n    | extend IsVIP = iif(SearchKey == \"\", false, true)\n    | join kind=leftouter  ( \n        MESCheckOnlineVIP() ) on SearchKey\n    | extend CmdletNameJoin = tolower(CmdletName)\n    | join kind=leftouter  ( \n        CmdletCheck\n    | extend CmdletNameJoin = tolower(Cmdlet)\n    ) on CmdletNameJoin\n    | extend Caller = UserId\n    | extend CmdletParameters = Param\n    | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n    | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n    | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n    | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n    | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n    | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n    | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n",
+                "functionParameters": "",
                 "version": 2,
                 "tags": [
                   {
@@ -1300,7 +1293,7 @@
                 "[variables('parserObject5')._parserId5]"
               ],
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
                 "contentId": "[variables('parserObject5').parserContentId5]",
                 "kind": "Parser",
                 "version": "[variables('parserObject5').parserVersion5]",
@@ -1329,7 +1322,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('parserObject5').parserContentId5]",
         "contentKind": "Parser",
-        "displayName": "Parser for MRA Configuration Data Comparison",
+        "displayName": "Parser for Office Activity Logs",
         "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
         "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
         "version": "[variables('parserObject5').parserVersion5]"
@@ -1340,136 +1333,6 @@
       "apiVersion": "2022-10-01",
       "name": "[variables('parserObject5')._parserName5]",
       "location": "[parameters('workspace-location')]",
-      "properties": {
-        "eTag": "*",
-        "displayName": "Parser for MRA Configuration Data Comparison",
-        "category": "Microsoft Sentinel Parser",
-        "functionAlias": "MESCompareDataMRA",
-        "query": "// Version:         1.0.0\n// Last Updated:    25/02/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n//    1. SectionCompare, type string, default value \"\"\n//    2. DateCompare, type string, default value \"lastdate\"\n//    3. CurrentDate, type string, default value \"lastdate\"\n//    4. EnvList, type string, default value \"All\"\n//    5. TypeEnv, type string, default value \"Online\"\n//    6. CurrentRole, type string, default value \"\"\n//    7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ; \nlet AfterData = \n    ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet i=0;\nlet allDataRange = \n    ESIExchangeOnlineConfig_CL\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n    | where ESIEnvironment_s == _EnvList\n    | where Section_s == \"MRA\"\n    | extend CmdletResultValue = parse_json(rawData_s)\n    | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n    | where CmdletResultValue.Role contains _CurrentRole\n        and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n        and CmdletResultValue.Name !contains \"Deleg\"\n    | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n    | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n    | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n    | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n    | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n    | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n    | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n    | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n    | extend Status= tostring(CmdletResultValue.Enabled)\n    | extend Role = tostring(CmdletResultValue.Role)\n    | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n    ;\nlet DiffAddDataP1 = allDataRange\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n    | join kind = innerunique   (allDataRange ) on WhenCreated\n    | where WhenCreated >=_DateCompareB\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n    | distinct  ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n    | join kind = leftanti AfterData on RoleAssigneeName\n    | extend Actiontype =\"Remove\"\n    | distinct  Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    | project  WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n    ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\"  or RecipientWriteScope contains\"📍\"  or ConfigWriteScope contains\"📍\"   ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n    WhenChanged,\n    Actiontype,\n    RoleAssigneeName,\n    RoleAssigneeType,\n    Status,\n    CustomRecipientWriteScope,\n    CustomConfigWriteScope,\n    RecipientWriteScope,\n    ConfigWriteScope,\n    ManagementRoleAssignement,\n    RoleAssignmentDelegationType,\n    WhenCreated\n",
-        "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
-        "version": 2,
-        "tags": [
-          {
-            "name": "description",
-            "value": ""
-          }
-        ]
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
-      "location": "[parameters('workspace-location')]",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
-      "dependsOn": [
-        "[variables('parserObject5')._parserId5]"
-      ],
-      "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
-        "contentId": "[variables('parserObject5').parserContentId5]",
-        "kind": "Parser",
-        "version": "[variables('parserObject5').parserVersion5]",
-        "source": {
-          "kind": "Solution",
-          "name": "Microsoft Exchange Security - Exchange Online",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Community",
-          "tier": "Community",
-          "link": "https://github.com/Azure/Azure-Sentinel/issues"
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('parserObject6').parserTemplateSpecName6]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "MESOfficeActivityLogs Data Parser with template version 3.1.5",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('parserObject6').parserVersion6]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[variables('parserObject6')._parserName6]",
-              "apiVersion": "2022-10-01",
-              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "eTag": "*",
-                "displayName": "Parser for Office Activity Logs",
-                "category": "Microsoft Sentinel Parser",
-                "functionAlias": "MESOfficeActivityLogs",
-                "query": "// Version:         1.0.0\n// Last Updated:    25/02/2024\n//  \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n    let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n        \"NONE\",\"NONE\",\"NONE\"];\n    let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist  | project-away TableName;\n    let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n    let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n    let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n    union isfuzzy=true withsource=TableName \n        SearchUserDisplayName,\n        SearchUserSAMAccountName, \n        SearchUserUPN\n    };\nlet EventList = OfficeActivity\n    | where RecordType == \"ExchangeAdmin\"\n    | where UserType <> \"DcAdmin\" and  UserKey !contains \"NT AUTHORITY\"\n    | extend CmdletName = Operation\n    | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n    // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n    | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n    | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n    | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n    | extend TargetObject = replace_string(TargetObject,',','')\n    | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n    | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n    | extend IsVIP = iif(SearchKey == \"\", false, true)\n    | join kind=leftouter  ( \n        MESCheckOnlineVIP() ) on SearchKey\n    | extend CmdletNameJoin = tolower(CmdletName)\n    | join kind=leftouter  ( \n        CmdletCheck\n    | extend CmdletNameJoin = tolower(Cmdlet)\n    ) on CmdletNameJoin\n    | extend Caller = UserId\n    | extend CmdletParameters = Param\n    | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n    | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n    | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n    | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n    | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n    | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n    | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n",
-                "functionParameters": "",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": ""
-                  }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]",
-              "dependsOn": [
-                "[variables('parserObject6')._parserId6]"
-              ],
-              "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
-                "contentId": "[variables('parserObject6').parserContentId6]",
-                "kind": "Parser",
-                "version": "[variables('parserObject6').parserVersion6]",
-                "source": {
-                  "name": "Microsoft Exchange Security - Exchange Online",
-                  "kind": "Solution",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Community",
-                  "tier": "Community",
-                  "link": "https://github.com/Azure/Azure-Sentinel/issues"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('parserObject6').parserContentId6]",
-        "contentKind": "Parser",
-        "displayName": "Parser for Office Activity Logs",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]",
-        "version": "[variables('parserObject6').parserVersion6]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2022-10-01",
-      "name": "[variables('parserObject6')._parserName6]",
-      "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
         "displayName": "Parser for Office Activity Logs",
@@ -1490,15 +1353,15 @@
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
       "dependsOn": [
-        "[variables('parserObject6')._parserId6]"
+        "[variables('parserObject5')._parserId5]"
       ],
       "properties": {
         "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
-        "contentId": "[variables('parserObject6').parserContentId6]",
+        "contentId": "[variables('parserObject5').parserContentId5]",
         "kind": "Parser",
-        "version": "[variables('parserObject6').parserVersion6]",
+        "version": "[variables('parserObject5').parserVersion5]",
         "source": {
           "kind": "Solution",
           "name": "Microsoft Exchange Security - Exchange Online",
@@ -1524,7 +1387,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -1542,7 +1405,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : <a href=\\\"https://aka.ms/esiwatchlist\\\" target=\\\"_blank\\\\\\\">https://aka.ms/esiwatchlist</a>\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where  CmdletResultValue.RoleAssigneeName endswith  \\\"{RoleAssignee}\\\" \\r\\n| where  CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n  - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n  - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n  - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n   | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where  CmdletResultValue.RoleAssigneeName endswith  \\\"{RoleAssignee}\\\" \\r\\n| where  CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n  - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n  - Delegation done by mistake\\r\\n\\r\\n  - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away  CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter  ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter  ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter  ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter  ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join  kind=rightouter     (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project  RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : <a href=\\\"https://aka.ms/esiwatchlist\\\" target=\\\"_blank\\\\\\\">https://aka.ms/esiwatchlist</a>\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where  CmdletResultValue.RoleAssigneeName endswith  \\\"{RoleAssignee}\\\" \\r\\n| where  CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n  - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n  - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n  - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n   | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where  CmdletResultValue.RoleAssigneeName endswith  \\\"{RoleAssignee}\\\" \\r\\n| where  CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\"  and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n  - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n  - Delegation done by mistake\\r\\n\\r\\n  - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away  CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter  ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter  ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter  ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter  ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join  kind=rightouter     (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project  RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -1611,7 +1474,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -1629,7 +1492,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n  - Date\\r\\n  - GUID of user instead of the name\\r\\n  - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n  - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes  folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and  CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all  mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export**  is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and  alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n  - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - Organization Management\\r\\n  - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n  - Discovery Management\\r\\n  - Hygiene Management\\r\\n  - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - xxx High privilege group (not an exhaustive list)\\r\\n  - Compliance Management\\r\\n  - All RBAC groups that have high roles delegation\\r\\n  - All nested groups in high privileges groups\\r\\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of  direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance  Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of  direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"InBoundC\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or  TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    State,\\r\\n    ConnectorType,\\r\\n    ConnectorSource,\\r\\n    Comment,\\r\\n    SenderIPAddresses,\\r\\n    SenderDomains,\\r\\n    TrustedOrganizations,\\r\\n    AssociatedAcceptedDomainsRequireTls,\\r\\n    RestrictDomainsToIPAddresses,\\r\\n    RestrictDomainsToCertificate,\\r\\n    CloudServicesMailEnabled,\\r\\n    TreatMessagesAsInternal,\\r\\n    TlsSenderCertificateName,\\r\\n    ScanAndDropRecipients,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"OutBoundC\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\"  or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector  contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    State,\\r\\n    ConnectorType,\\r\\n    ConnectorSource,  \\r\\n    CloudServicesMailEnabled,\\r\\n    Comment,\\r\\n    UseMXRecord,\\r\\n    RecipientDomains,\\r\\n    SmartHosts,\\r\\n    TlsDomain,\\r\\n    TlsSettings,\\r\\n    IsTransportRuleScoped,\\r\\n    RouteAllMessagesViaOnPremises,\\r\\n    AllAcceptedDomains,\\r\\n    SenderRewritingEnabled,\\r\\n    TestMode,\\r\\n    LinkForModifiedConnector,\\r\\n    ValidationRecipients,\\r\\n    IsValidated,\\r\\n    LastValidationTimestamp,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n    | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n        ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"TransportRule\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n    | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend CmdletResultValue.RedirectMessageToString\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n    | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n    | extend aa=prev(WhenCreated)\\r\\n    | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n    | extend WhenCreated =bin(WhenCreated,1m)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = inner   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct  Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    SentTo,\\r\\n    BlindCopyTo,\\r\\n    CopyTo,\\r\\n    RedirectMessageTo,\\r\\n    SetSCL,\\r\\n    SenderIpRangesString,\\r\\n    MessageTypeMatchesString,\\r\\n    Mode,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy :  Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter  HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n| extend  IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n| extend  Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n| extend  AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend  RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend  RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend  RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend  RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend  ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend  BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend  BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend  NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend  NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend Identity =  tostring(Identity)\\r\\n    | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend Identity =  tostring(Identity)\\r\\n    | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n    | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n    | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n    | project\\r\\n        TimeGenerated,\\r\\n        Identity,\\r\\n        CmdletResultValue,\\r\\n        WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n        WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n    | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n    | join kind = rightanti  (AfterData\\r\\n        | where WhenCreated >= _DateCompareB)\\r\\n        on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange) on WhenCreated\\r\\n    | where WhenCreated >= _DateCompareB\\r\\n    | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n    | distinct\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n    | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n    | project\\r\\n        WhenChanged=_CurrentDateB,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n    | sort by Identity, WhenChanged asc\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n    | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n    | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n    | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n    | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n    | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n    | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n    | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n    | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n    | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    IsDefault,\\r\\n    Enabled,\\r\\n    AutoForwardingMode,\\r\\n    OutboundSpamFilterRule,\\r\\n    RecommendedPolicyType,\\r\\n    RecipientLimitExternalPerHour,\\r\\n    RecipientLimitInternalPerHour,\\r\\n    ActionWhenThresholdReached,\\r\\n    RecipientLimitPerDay,\\r\\n    BccSuspiciousOutboundAdditionalRecipients,\\r\\n    BccSuspiciousOutboundMail,\\r\\n    NotifyOutboundSpam,\\r\\n    NotifyOutboundSpamRecipient,\\r\\n    WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n   \\t    | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"RemoteDomain\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n       | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    DomainName,\\r\\n    AutoForwardEnabled,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter  ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n    | where ScopedEnvironment in (_configurationEnv)\\r\\n    | where TimeGenerated > ago(90d)\\r\\n    | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n    | summarize by Collection \\r\\n    | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n        | where ScopedEnvironment in (_configurationEnv)\\r\\n        | where TimeGenerated > ago(90d)\\r\\n        | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n        | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n        | summarize by PreciseCollection, Collection \\r\\n        | join kind=leftouter (\\r\\n            ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n            | where ScopedEnvironment in (_configurationEnv)\\r\\n            | where TimeGenerated > ago(90d)\\r\\n            | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n            | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n            | summarize by PreciseCollection, Collection \\r\\n            | summarize count() by Collection\\r\\n        ) on Collection\\r\\n    ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n  - Date\\r\\n  - GUID of user instead of the name\\r\\n  - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n  - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes  folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and  CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all  mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export**  is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and  alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n  - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - Organization Management\\r\\n  - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n  - Discovery Management\\r\\n  - Hygiene Management\\r\\n  - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n  - xxx High privilege group (not an exhaustive list)\\r\\n  - Compliance Management\\r\\n  - All RBAC groups that have high roles delegation\\r\\n  - All nested groups in high privileges groups\\r\\n  - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of  direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance  Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of  direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"InBoundC\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or  TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    State,\\r\\n    ConnectorType,\\r\\n    ConnectorSource,\\r\\n    Comment,\\r\\n    SenderIPAddresses,\\r\\n    SenderDomains,\\r\\n    TrustedOrganizations,\\r\\n    AssociatedAcceptedDomainsRequireTls,\\r\\n    RestrictDomainsToIPAddresses,\\r\\n    RestrictDomainsToCertificate,\\r\\n    CloudServicesMailEnabled,\\r\\n    TreatMessagesAsInternal,\\r\\n    TlsSenderCertificateName,\\r\\n    ScanAndDropRecipients,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"OutBoundC\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n   \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n    | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n    | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n    | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n    | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n    | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n    | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n    | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n    | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n    | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n    | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n    | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n    | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n    | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n    | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n    | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\"  or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector  contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    State,\\r\\n    ConnectorType,\\r\\n    ConnectorSource,  \\r\\n    CloudServicesMailEnabled,\\r\\n    Comment,\\r\\n    UseMXRecord,\\r\\n    RecipientDomains,\\r\\n    SmartHosts,\\r\\n    TlsDomain,\\r\\n    TlsSettings,\\r\\n    IsTransportRuleScoped,\\r\\n    RouteAllMessagesViaOnPremises,\\r\\n    AllAcceptedDomains,\\r\\n    SenderRewritingEnabled,\\r\\n    TestMode,\\r\\n    LinkForModifiedConnector,\\r\\n    ValidationRecipients,\\r\\n    IsValidated,\\r\\n    LastValidationTimestamp,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A  common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n    | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n        ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"TransportRule\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n    | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n    | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n    | extend CmdletResultValue.RedirectMessageToString\\r\\n    | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n    | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n    | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n    | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n    | extend aa=prev(WhenCreated)\\r\\n    | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n    | extend WhenCreated =bin(WhenCreated,1m)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = inner   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct  Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    SentTo,\\r\\n    BlindCopyTo,\\r\\n    CopyTo,\\r\\n    RedirectMessageTo,\\r\\n    SetSCL,\\r\\n    SenderIpRangesString,\\r\\n    MessageTypeMatchesString,\\r\\n    Mode,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy :  Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter  HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n| extend  IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n| extend  Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n| extend  AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend  RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend  RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend  RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend  RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend  ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend  BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend  BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend  NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend  NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend Identity =  tostring(Identity)\\r\\n    | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n    ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n    | extend Identity =  tostring(Identity)\\r\\n    | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n    | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n    | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | extend Identity =  tostring(CmdletResultValue.Identity)\\r\\n    | project\\r\\n        TimeGenerated,\\r\\n        Identity,\\r\\n        CmdletResultValue,\\r\\n        WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n        WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n    | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n    | extend OutboundSpamFilterRule =  tostring(Identity1)\\r\\n    | extend IsDefault=  tostring(CmdletResultValue.IsDefault)\\r\\n    | extend Enabled=  tostring(CmdletResultValue.Enabled)\\r\\n    | extend AutoForwardingMode=  tostring(CmdletResultValue.AutoForwardingMode)\\r\\n    | extend RecommendedPolicyType=  tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour =  tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour =  tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n    | extend RecipientLimitPerDay=  tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n    | extend ActionWhenThresholdReached =  tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients=  tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail =  tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam=  tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient =  tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n    | join kind = rightanti  (AfterData\\r\\n        | where WhenCreated >= _DateCompareB)\\r\\n        on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange) on WhenCreated\\r\\n    | where WhenCreated >= _DateCompareB\\r\\n    | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n    | distinct\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n    | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n    | project\\r\\n        WhenChanged=_CurrentDateB,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n    | sort by Identity, WhenChanged asc\\r\\n    | project\\r\\n        WhenChanged,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n    | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n    | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n    | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n    | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n    | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n    | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n    | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n    | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n    | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n    | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n    | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n    | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n    | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n    | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n    | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n    | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n    | where ActiontypeR == 1\\r\\n    | distinct\\r\\n        WhenChanged,\\r\\n        Actiontype,\\r\\n        Identity,\\r\\n        IsDefault,\\r\\n        Enabled,\\r\\n        AutoForwardingMode,\\r\\n        OutboundSpamFilterRule,\\r\\n        RecommendedPolicyType,\\r\\n        RecipientLimitExternalPerHour,\\r\\n        RecipientLimitInternalPerHour,\\r\\n        ActionWhenThresholdReached,\\r\\n        RecipientLimitPerDay,\\r\\n        BccSuspiciousOutboundAdditionalRecipients,\\r\\n        BccSuspiciousOutboundMail,\\r\\n        NotifyOutboundSpam,\\r\\n        NotifyOutboundSpamRecipient,\\r\\n        WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    IsDefault,\\r\\n    Enabled,\\r\\n    AutoForwardingMode,\\r\\n    OutboundSpamFilterRule,\\r\\n    RecommendedPolicyType,\\r\\n    RecipientLimitExternalPerHour,\\r\\n    RecipientLimitInternalPerHour,\\r\\n    ActionWhenThresholdReached,\\r\\n    RecipientLimitPerDay,\\r\\n    BccSuspiciousOutboundAdditionalRecipients,\\r\\n    BccSuspiciousOutboundMail,\\r\\n    NotifyOutboundSpam,\\r\\n    NotifyOutboundSpamRecipient,\\r\\n    WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name =  tostring(CmdletResultValue.Name)\\r\\n| extend Address =  tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled =  iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort  by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData =  ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n    | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n     ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n   \\t    | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n    | extend WhenChanged = todatetime(WhenChanged)\\r\\n    | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n    ESIExchangeOnlineConfig_CL\\r\\n    | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n    | where ESIEnvironment_s == _EnvList\\r\\n    | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n    | where Section_s == \\\"RemoteDomain\\\"\\r\\n    | extend CmdletResultValue = parse_json(rawData_s)\\r\\n    | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n       | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName  = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n    ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n  | join kind = rightanti  (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n    | join kind = innerunique   (allDataRange ) on WhenCreated\\r\\n    | where WhenCreated >=_DateCompareB\\r\\n    | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n    | distinct  Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n    | join kind = leftanti AfterData on Identity\\r\\n    | extend Actiontype =\\\"Remove\\\"\\r\\n    | distinct  Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n    | project  WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n    ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n    WhenChanged,\\r\\n    Actiontype,\\r\\n    Identity,\\r\\n    DomainName,\\r\\n    AutoForwardEnabled,\\r\\n    WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -1698,7 +1561,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion3')]",
@@ -1716,7 +1579,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook3-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n    | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n    | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n    | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n    | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n    | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend**    \\r\\n>    \\r\\n> 👑 VIP user    \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n    | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\")  and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n    and TargetObject contains \\\"\\\"\\r\\n    and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n    | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n    | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n    | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n    | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n    | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend**    \\r\\n>    \\r\\n> 👑 VIP user    \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName  !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n    | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\")  and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n    and TargetObject contains \\\"\\\"\\r\\n    and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -1727,7 +1590,7 @@
               "apiVersion": "2022-01-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Online Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description",
+                "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Admin Activity - Online; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description",
                 "parentId": "[variables('workbookId3')]",
                 "contentId": "[variables('_workbookContentId3')]",
                 "kind": "Workbook",
@@ -1785,7 +1648,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.5",
+        "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.6",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion4')]",
@@ -1803,7 +1666,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook4-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n  - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n  - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n   - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n   - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n  - Caller : Named of the Administrators that used this cmdlet\\r\\n  - TargetObject : Object modified by the cmdlet\\r\\n  - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n  - Cmdlet : Name of the cmdlet that was used\\r\\n  - CmdletParameters : Cmdlet parameters used with the command\\r\\n  - IsSensitive :\\r\\n   - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where  Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is  no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n  - A summary of all cmdets used\\r\\n\\r\\n  - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n  - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n  - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n   - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n   - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n  - Caller : Named of the Administrators that used this cmdlet\\r\\n  - TargetObject : Object modified by the cmdlet\\r\\n  - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n  - Cmdlet : Name of the cmdlet that was used\\r\\n  - CmdletParameters : Cmdlet parameters used with the command\\r\\n  - IsSensitive :\\r\\n   - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where  Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is  no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n  - A summary of all cmdets used\\r\\n\\r\\n  - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -1876,7 +1739,7 @@
         "defaultDuration": "P1000Y",
         "contentType": "Text/Csv",
         "numberOfLinesToSkip": 0,
-        "itemsSearchKey": "userPrincipalName",
+        "itemsSearchKey": "sAMAccountName",
         "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n"
       },
       "apiVersion": "2021-03-01-preview"
@@ -1886,12 +1749,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.1.5",
+        "version": "3.1.6",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Microsoft Exchange Security - Exchange Online",
         "publisherDisplayName": "Community",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell\">Custom logs ingestion via Data Collector REST API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 6, <strong>Workbooks:</strong> 4, <strong>Watchlists:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell\">Custom logs ingestion via Data Collector REST API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 5, <strong>Workbooks:</strong> 4, <strong>Watchlists:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -1945,11 +1808,6 @@
               "contentId": "[variables('parserObject5').parserContentId5]",
               "version": "[variables('parserObject5').parserVersion5]"
             },
-            {
-              "kind": "Parser",
-              "contentId": "[variables('parserObject6').parserContentId6]",
-              "version": "[variables('parserObject6').parserVersion6]"
-            },
             {
               "kind": "Workbook",
               "contentId": "[variables('_workbookContentId1')]",
@@ -1973,7 +1831,7 @@
             {
               "kind": "Watchlist",
               "contentId": "[variables('_Exchange Online VIP')]",
-              "version": "3.1.5"
+              "version": "3.1.6"
             }
           ]
         },
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json
index 39020c8111b..a1e9f9bdb6e 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json	
@@ -39,7 +39,7 @@
   },
   "workbook3-name": {
     "type": "string",
-    "defaultValue": "Microsoft Exchange Online Admin Activity",
+    "defaultValue": "Microsoft Exchange Admin Activity - Online",
     "minLength": 1,
     "metadata": {
       "description": "Name for the workbook"
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml
deleted file mode 100644
index f242d0c9b16..00000000000
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml	
+++ /dev/null
@@ -1,29 +0,0 @@
-id: 9f0e2122-f511-4e51-83a0-51fbd86d3121
-Function:
-  Title: Parser for VIP Check for Exchange
-  Version: '1.0.0'
-  LastUpdated: '2023-11-01'
-Category: Microsoft Sentinel Parser
-FunctionName: MESCheckVIP
-FunctionAlias: MESCheckVIP
-FunctionParams:
-  - Name: UserToCheck
-    Type: string
-    Description: The user to verifiy if is a VIP or not. Default value is "all".
-    Default: 'All'
-FunctionQuery: |
-  //let UserToCheck = "SampleEntry";
-  let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck));
-  let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [
-      "NONE","NONE","NONE","NONE","00000001-0000-1000-0000-100000000000","NONE","NONE"];
-  let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != "00000001-0000-1000-0000-100000000000" | project-away TableName;
-  let SearchUser = Watchlist | where _UserToCheck =~ canonicalName 
-      or _UserToCheck =~ displayName 
-      or _UserToCheck =~ userPrincipalName 
-      or _UserToCheck =~ sAMAccountName 
-      or _UserToCheck =~ objectSID 
-      or _UserToCheck == tostring(objectGUID) 
-      or _UserToCheck =~ distinguishedName
-      or _UserToCheck == "All"
-      | extend ValueChecked = iif(_UserToCheck=="All",strcat("#",displayName,"#",userPrincipalName,"#",sAMAccountName,"#",objectGUID,"#",objectSID,"#",distinguishedName,"#"),_UserToCheck);
-  SearchUser
\ No newline at end of file
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml
index 8f5b3cd4e4c..7aded9f868b 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml	
@@ -1,8 +1,8 @@
 id: 39f51672-8c63-4600-882a-5db8275f798f
 Function:
   Title: Parser for MRA Configuration Data Comparison
-  Version: '1.0.0'
-  LastUpdated: '2024-02-25'
+  Version: '1.1.0'
+  LastUpdated: '2024-08-30'
 Category: Microsoft Sentinel Parser
 FunctionName: MESCompareDataMRA
 FunctionAlias: MESCompareDataMRA
@@ -36,8 +36,8 @@ FunctionParams:
     Description: List of actors to exclude. Default value is "dynamic('')".
     Default: dynamic('')
 FunctionQuery: |
-  // Version:         1.0.0
-  // Last Updated:    25/02/2024
+  // Version:         1.1.0
+  // Last Updated:    30/08/2024
   //  
   // DESCRIPTION:
   // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.
@@ -84,14 +84,14 @@ FunctionQuery: |
           and CmdletResultValue.Name !contains "Deleg"
       | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
       | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup")
-      | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)
-      | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)
+      | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))
+      | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))
       | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)
       | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)
       | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)
       | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)
       | extend Status= tostring(CmdletResultValue.Enabled)
-      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6", "Delegating", "Regular") 
+      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") 
       | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
       | extend Role = tostring(CmdletResultValue.Role)
       | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)
@@ -103,8 +103,8 @@ FunctionQuery: |
           and CmdletResultValue.Name !contains "Deleg"
       | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
       | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup")
-      | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)
-      | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)
+      | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))
+      | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises",  tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))
       | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)
       | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)
       | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)
@@ -112,6 +112,7 @@ FunctionQuery: |
       | extend Status= tostring(CmdletResultValue.Enabled)
       | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)
       | extend Role = tostring(CmdletResultValue.Role)
+      | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") 
       | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)
       ;
   let i=0;
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md
index 46169e80260..fa0469c1ecf 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md	
@@ -164,12 +164,13 @@ If you need to test the parser execution without saving it as a function, add th
 ### Parser Definition
 
 - Title:           Microsoft Exchange Compare Data MRA Parser
-- Version:         1.0.0
-- Last Updated:    25/02/2024
+- Version:         1.1.0
+- Last Updated:    30/08/2024
 - Description:     This parser compare data from MRA and ESI Exchange Collector to find differences
 
 |**Version**  |**Details**  |
 |---------|-----------------------------------------------------------------------------------------------------------------------|
+|v1.1     | <ul><li>Function Adaptation for On-Premises table</li></ul> |
 |v1.0     | <ul><li>Function initilisation for Sentinel Solution</li></ul> |
 
 ### Parser Description
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md
index f3cf58c8d54..d1bb13ca4d1 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.1.6       | 30-08-2024                     | Correct bug on LasdtReceivedData of DataConnector. and change parser     |
 | 3.1.5       | 15-05-2024                     | Enhancement in existing **Parser**       |
 | 3.1.4       | 30-04-2024                     | Repackaged for parser issue       |
 | 3.1.3       | 25-04-2024                     | Repackaged for parser issue with old names       |
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json
index 009bfe4854f..8583ccf670f 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json	
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json	
@@ -23,7 +23,7 @@
               "defaultDuration": "P1000Y",
               "contentType": "Text/Csv",
               "numberOfLinesToSkip": 0,
-              "itemsSearchKey": "userPrincipalName",
+              "itemsSearchKey": "sAMAccountName",
               "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n"
           },
           "apiVersion": "2021-03-01-preview"
diff --git a/Solutions/Mimecast/Package/3.0.0.zip b/Solutions/Mimecast/Package/3.0.0.zip
index 3bf99ffbe40..6d317cdf3bc 100644
Binary files a/Solutions/Mimecast/Package/3.0.0.zip and b/Solutions/Mimecast/Package/3.0.0.zip differ
diff --git a/Solutions/Mimecast/Package/mainTemplate.json b/Solutions/Mimecast/Package/mainTemplate.json
index 2b5c574c966..e551f01a1e3 100644
--- a/Solutions/Mimecast/Package/mainTemplate.json
+++ b/Solutions/Mimecast/Package/mainTemplate.json
@@ -74,7 +74,7 @@
     "_email": "[variables('email')]",
     "_solutionName": "Mimecast",
     "_solutionVersion": "3.0.0",
-    "solutionId": "mimecast.azure-sentinel-solution-mimecast",
+    "solutionId": "mimecastnorthamerica1584469118674.azure-sentinel-solution-mimecast",
     "_solutionId": "[variables('solutionId')]",
     "analyticRuleObject1": {
       "analyticRuleVersion1": "1.0.0",
diff --git a/Solutions/Mimecast/SolutionMetadata.json b/Solutions/Mimecast/SolutionMetadata.json
index 39c8e3327ba..e66cb668115 100644
--- a/Solutions/Mimecast/SolutionMetadata.json
+++ b/Solutions/Mimecast/SolutionMetadata.json
@@ -1,5 +1,5 @@
 {
-    "publisherId": "mimecast",
+    "publisherId": "mimecastnorthamerica1584469118674",
     "offerId": "azure-sentinel-solution-mimecast",
     "firstPublishDate": "2024-09-10",
     "lastPublishDate": "2024-09-10",
diff --git a/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json b/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json
index b940ab9ba21..ffbcdb9b25f 100644
--- a/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json	
+++ b/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json	
@@ -8,6 +8,12 @@
         "description": "The name of the function app that you wish to create."
       }
     },
+    "hostingPlan": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Azure App Services Plan where this function app will run."
+      }
+    },
     "objectId": {
       "type": "string",
       "metadata": {
@@ -114,7 +120,7 @@
   },
   "variables": {
     "functionAppName": "[parameters('appName')]",
-    "hostingPlanName": "[parameters('appName')]",
+    "hostingPlanName": "[parameters('hostingPlan')]",
     "applicationInsightsName": "[parameters('appName')]",
     "storageAccountName": "[parameters('appName')]"
   },
diff --git a/Solutions/Okta Single Sign-On/Package/3.0.10.zip b/Solutions/Okta Single Sign-On/Package/3.0.10.zip
new file mode 100644
index 00000000000..a0d6f14bcfe
Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.0.10.zip differ
diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json
index 171b320b485..eae49f17781 100644
--- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json	
+++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json	
@@ -55,7 +55,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Okta Single Sign-On",
-    "_solutionVersion": "3.0.9",
+    "_solutionVersion": "3.0.10",
     "solutionId": "azuresentinel.azure-sentinel-solution-okta",
     "_solutionId": "[variables('solutionId')]",
     "analyticRuleObject1": {
@@ -231,10 +231,9 @@
       "_parserName1": "[concat(parameters('workspace'),'/','OktaSSO')]",
       "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]",
       "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OktaSSO-Parser')))]",
-      "parserVersion1": "1.0.1",
+      "parserVersion1": "1.0.2",
       "parserContentId1": "OktaSSO-Parser"
     },
-    
     "SessionId": "authenticationContext_externalSessionId_s",
     "_SessionId": "[variables('SessionId')]",
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
@@ -249,7 +248,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -368,7 +367,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -478,7 +477,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -588,7 +587,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -659,8 +658,8 @@
                   }
                 ],
                 "customDetails": {
-                  "UserAgent": "client_userAgent_rawUserAgent_s",
-                  "Location": "Location"
+                  "Location": "Location",
+                  "UserAgent": "client_userAgent_rawUserAgent_s"
                 }
               }
             },
@@ -715,7 +714,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -788,12 +787,12 @@
                   }
                 ],
                 "customDetails": {
-                  "SessionId": "[variables('_SessionId')]",
-                  "Location": "Location"
+                  "Location": "Location",
+                  "SessionId": "[variables('_SessionId')]"
                 },
                 "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation",
-                  "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n"
+                  "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n",
+                  "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation"
                 }
               }
             },
@@ -848,7 +847,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -962,7 +961,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1033,7 +1032,7 @@
                   }
                 ],
                 "customDetails": {
-                  "SessionId": "authenticationContext_externalSessionId_s"
+                  "SessionId": "[variables('_SessionId')]"
                 }
               }
             },
@@ -1088,7 +1087,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1211,7 +1210,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.9",
+        "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1329,7 +1328,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Okta Single Sign-On data connector with template version 3.0.9",
+        "description": "Okta Single Sign-On data connector with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -2685,7 +2684,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2770,7 +2769,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2855,7 +2854,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2940,7 +2939,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -3025,7 +3024,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -3110,7 +3109,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -3195,7 +3194,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -3280,7 +3279,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -3365,7 +3364,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -3450,7 +3449,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.9",
+        "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -3535,7 +3534,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OktaCustomConnector Playbook with template version 3.0.9",
+        "description": "OktaCustomConnector Playbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -4798,7 +4797,7 @@
           ],
           "metadata": {
             "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.",
-            "lastUpdateTime": "2024-10-14T18:36:21.775Z",
+            "lastUpdateTime": "2024-11-07T18:58:15.778Z",
             "releaseNotes": {
               "version": "1.0",
               "title": "[variables('blanks')]",
@@ -4830,7 +4829,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.9",
+        "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -5189,7 +5188,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Okta-PromptUser Playbook with template version 3.0.9",
+        "description": "Okta-PromptUser Playbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -5640,7 +5639,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Okta-ResponseFromTeams Playbook with template version 3.0.9",
+        "description": "Okta-ResponseFromTeams Playbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -6147,7 +6146,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OktaSingleSignOn Workbook with template version 3.0.9",
+        "description": "OktaSingleSignOn Workbook with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -6243,7 +6242,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OktaSSO Data Parser with template version 3.0.9",
+        "description": "OktaSSO Data Parser with template version 3.0.10",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -6260,7 +6259,7 @@
                 "displayName": "Backward Compatibility Parser for Okta SSO",
                 "category": "Microsoft Sentinel Parser",
                 "functionAlias": "OktaSSO",
-                "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n  actor_alternateId_s:string,\n  actor_detailEntry_s:string,\n  actor_displayName_s:string,\n  actor_id_s:string,\n  actor_type_s:string,\n  authenticationContext_authenticationProvider_s:string,\n  authenticationContext_authenticationStep_d:double,\n  authenticationContext_credentialProvider_s:string,\n  authenticationContext_credentialType_s:string,\n  authenticationContext_externalSessionId_s:string,\n  authenticationContext_interface_s:string,\n  authenticationContext_issuerId_s:string,\n  authenticationContext_issuerType_s:string,\n  client_device_s:string,\n  client_geographicalContext_city_s:string,\n  client_geographicalContext_country_s:string,\n  client_geographicalContext_geolocation_lat_d:double,\n  client_geographicalContext_geolocation_lon_d:double,\n  client_geographicalContext_postalCode_s:string,\n  client_geographicalContext_state_s:string,\n  client_id_s:string,\n  client_ipAddress_s:string,\n  client_userAgent_browser_s:string,\n  client_userAgent_os_s:string,\n  client_userAgent_rawUserAgent_s:string,\n  client_zone_s:string,\n  debugContext_debugData_s:string,\n  displayMessage_s:string,\n  eventType_s:string,\n  legacyEventType_s:string,\n  uuid_g:string,\n  outcome_reason_s:string,\n  outcome_result_s:string,\n  request_ipChain_s:string,\n  securityContext_asNumber_d:double,\n  securityContext_asOrg_s:string,\n  securityContext_domain_s:string,\n  securityContext_isp_s:string,\n  securityContext_isProxy_b:bool,\n  severity_s:string,\n  target_s:string,\n  transaction_details_s:string,\n  transaction_id_s:string,\n  transaction_type_s:string,\n  version_s:string\n  )[];\n  let Oktav2_empty = datatable(\n  TimeGenerated:datetime,\n  OriginalActorAlternateId:string,\n  ActorDetailEntry:string,\n  ActorDisplayName:string,\n  OriginalUserId:string,\n  OriginalUserType:string,\n  AuthenticationContextAuthenticationProvider:string,\n  AuthenticationContextAuthenticationStep: real,\n  AuthenticationContextCredentialProvider: string,\n  LogonMethod: string,\n  ActorSessionId: string,\n  AuthenticationContextInterface:string,\n  AuthenticationContextIssuerId:string,\n  AuthenticationContextIssuerType:string,\n  OriginalClientDevice:string,\n  SrcGeoCity:string,\n  SrcGeoCountry:string,\n  SrcGeoLatitude: double,\n  SrcGeoLongtitude: double,\n  SrcGeoPostalCode: string,\n  SrcGeoRegion: string,\n  SrcDvcId: string,\n  SrcIpAddr: string,\n  ActingAppName: string,\n  SrcDvcOs: string,\n  HttpUserAgent: string,\n  SrcZone: string,\n  DebugData: string,\n  EventMessage: string,\n  EventOriginalType: string,\n  LegacyEventType: string,\n  EventOriginalUid: string,\n  EventOriginalResultDetails: string,\n  OriginalOutcomeResult: string,\n  Request: string,\n  SecurityContextAsNumber: real,\n  SecurityContextAsOrg: string,\n  SecurityContextDomain: string,\n  SrcIsp: string,\n  SecurityContextIsProxy: bool,\n  OriginalSeverity: string,\n  OriginalTarget: string,\n  TransactionDetail: string,\n  TransactionId: string,\n  TransactionType: string,\n  Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n  project TimeGenerated,\n  actor_alternateId_s=OriginalActorAlternateId,\n  actor_detailEntry_s=tostring(ActorDetailEntry),\n  actor_displayName_s=ActorDisplayName,\n  actor_id_s=OriginalUserId,\n  actor_type_s=OriginalUserType,\n  authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n  authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n  authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n  authenticationContext_credentialType_s=LogonMethod,\n  authenticationContext_externalSessionId_s=ActorSessionId,\n  authenticationContext_interface_s=AuthenticationContextInterface,\n  authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n  authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n  client_device_s=OriginalClientDevice,\n  client_geographicalContext_city_s=SrcGeoCity,\n  client_geographicalContext_country_s=SrcGeoCountry,\n  client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n  client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n  client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n  client_geographicalContext_state_s=SrcGeoRegion,\n  client_id_s=SrcDvcId,\n  client_ipAddress_s=SrcIpAddr,\n  client_userAgent_browser_s=ActingAppName,\n  client_userAgent_os_s=SrcDvcOs,\n  client_userAgent_rawUserAgent_s=HttpUserAgent,\n  client_zone_s=SrcZone,\n  debugContext_debugData_s=tostring(DebugData),\n  displayMessage_s=EventMessage,\n  eventType_s=EventOriginalType,\n  legacyEventType_s=LegacyEventType,\n  uuid_g=EventOriginalUid,\n  outcome_reason_s=EventOriginalResultDetails,\n  outcome_result_s=OriginalOutcomeResult,\n  request_ipChain_s=tostring(Request),\n  securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n  securityContext_asOrg_s=SecurityContextAsOrg,\n  securityContext_domain_s=SecurityContextDomain,\n  securityContext_isp_s=SrcIsp,\n  securityContext_isProxy_b=SecurityContextIsProxy,\n  severity_s=OriginalSeverity,\n  target_s=tostring(OriginalTarget),\n  transaction_details_s=tostring(TransactionDetail),\n  transaction_id_s=TransactionId,\n  transaction_type_s=TransactionType,\n  version_s = Version;\n  union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n",
+                "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n  actor_alternateId_s:string,\n  actor_detailEntry_s:string,\n  actor_displayName_s:string,\n  actor_id_s:string,\n  actor_type_s:string,\n  authenticationContext_authenticationProvider_s:string,\n  authenticationContext_authenticationStep_d:double,\n  authenticationContext_credentialProvider_s:string,\n  authenticationContext_credentialType_s:string,\n  authenticationContext_externalSessionId_s:string,\n  authenticationContext_interface_s:string,\n  authenticationContext_issuerId_s:string,\n  authenticationContext_issuerType_s:string,\n  client_device_s:string,\n  client_geographicalContext_city_s:string,\n  client_geographicalContext_country_s:string,\n  client_geographicalContext_geolocation_lat_d:double,\n  client_geographicalContext_geolocation_lon_d:double,\n  client_geographicalContext_postalCode_s:string,\n  client_geographicalContext_state_s:string,\n  client_id_s:string,\n  client_ipAddress_s:string,\n  client_userAgent_browser_s:string,\n  client_userAgent_os_s:string,\n  client_userAgent_rawUserAgent_s:string,\n  client_zone_s:string,\n  debugContext_debugData_s:string,\n  displayMessage_s:string,\n  eventType_s:string,\n  legacyEventType_s:string,\n  uuid_g:string,\n  outcome_reason_s:string,\n  outcome_result_s:string,\n  request_ipChain_s:string,\n  securityContext_asNumber_d:double,\n  securityContext_asOrg_s:string,\n  securityContext_domain_s:string,\n  securityContext_isp_s:string,\n  securityContext_isProxy_b:bool,\n  severity_s:string,\n  target_s:string,\n  transaction_details_s:string,\n  transaction_id_s:string,\n  transaction_type_s:string,\n  version_s:string\n  )[];\n  let Oktav2_empty = datatable(\n  TimeGenerated:datetime,\n  OriginalActorAlternateId:string,\n  ActorDetailEntry:dynamic,\n  ActorDisplayName:string,\n  OriginalUserId:string,\n  OriginalUserType:string,\n  AuthenticationContextAuthenticationProvider:string,\n  AuthenticationContextAuthenticationStep: int,\n  AuthenticationContextCredentialProvider: string,\n  LogonMethod: string,\n  ActorSessionId: string,\n  AuthenticationContextInterface:string,\n  AuthenticationContextIssuerId:string,\n  AuthenticationContextIssuerType:string,\n  OriginalClientDevice:string,\n  SrcGeoCity:string,\n  SrcGeoCountry:string,\n  SrcGeoLatitude: double,\n  SrcGeoLongtitude: double,\n  SrcGeoPostalCode: string,\n  SrcGeoRegion: string,\n  SrcDvcId: string,\n  SrcIpAddr: string,\n  ActingAppName: string,\n  SrcDvcOs: string,\n  HttpUserAgent: string,\n  SrcZone: string,\n  DebugData: dynamic,\n  EventMessage: string,\n  EventOriginalType: string,\n  LegacyEventType: string,\n  EventOriginalUid: string,\n  EventOriginalResultDetails: string,\n  OriginalOutcomeResult: string,\n  Request: dynamic,\n  SecurityContextAsNumber: int,\n  SecurityContextAsOrg: string,\n  SecurityContextDomain: string,\n  SrcIsp: string,\n  DomainName: string ,\n  SecurityContextIsProxy: bool,\n  OriginalSeverity: string,\n  OriginalTarget: dynamic,\n  TransactionDetail: dynamic,\n  TransactionId: string,\n  TransactionType: string,\n  Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n  project TimeGenerated,\n  actor_alternateId_s=OriginalActorAlternateId,\n  actor_detailEntry_s=tostring(ActorDetailEntry),\n  domain_s=DomainName,\n  actor_displayName_s=ActorDisplayName,\n  actor_id_s=OriginalUserId,\n  actor_type_s=OriginalUserType,\n  authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n  authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n  authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n  authenticationContext_credentialType_s=LogonMethod,\n  authenticationContext_externalSessionId_s=ActorSessionId,\n  authenticationContext_interface_s=AuthenticationContextInterface,\n  authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n  authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n  client_device_s=OriginalClientDevice,\n  client_geographicalContext_city_s=SrcGeoCity,\n  client_geographicalContext_country_s=SrcGeoCountry,\n  client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n  client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n  client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n  client_geographicalContext_state_s=SrcGeoRegion,\n  client_id_s=SrcDvcId,\n  client_ipAddress_s=SrcIpAddr,\n  client_userAgent_browser_s=ActingAppName,\n  client_userAgent_os_s=SrcDvcOs,\n  client_userAgent_rawUserAgent_s=HttpUserAgent,\n  client_zone_s=SrcZone,\n  debugContext_debugData_s=tostring(DebugData),\n  displayMessage_s=EventMessage,\n  eventType_s=EventOriginalType,\n  legacyEventType_s=LegacyEventType,\n  uuid_g=EventOriginalUid,\n  outcome_reason_s=EventOriginalResultDetails,\n  outcome_result_s=OriginalOutcomeResult,\n  request_ipChain_s=tostring(Request),\n  securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n  securityContext_asOrg_s=SecurityContextAsOrg,\n  securityContext_domain_s=SecurityContextDomain,\n  securityContext_isp_s=SrcIsp,\n  securityContext_isProxy_b=SecurityContextIsProxy,\n  severity_s=OriginalSeverity,\n  target_s=tostring(OriginalTarget),\n  transaction_details_s=tostring(TransactionDetail),\n  transaction_id_s=TransactionId,\n  transaction_type_s=TransactionType,\n  version_s = Version;\n  union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n",
                 "functionParameters": "",
                 "version": 2,
                 "tags": [
@@ -6310,8 +6309,8 @@
         "contentId": "[variables('parserObject1').parserContentId1]",
         "contentKind": "Parser",
         "displayName": "Backward Compatibility Parser for Okta SSO",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]",
         "version": "[variables('parserObject1').parserVersion1]"
       }
     },
@@ -6325,7 +6324,7 @@
         "displayName": "Backward Compatibility Parser for Okta SSO",
         "category": "Microsoft Sentinel Parser",
         "functionAlias": "OktaSSO",
-        "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n  actor_alternateId_s:string,\n  actor_detailEntry_s:string,\n  actor_displayName_s:string,\n  actor_id_s:string,\n  actor_type_s:string,\n  authenticationContext_authenticationProvider_s:string,\n  authenticationContext_authenticationStep_d:double,\n  authenticationContext_credentialProvider_s:string,\n  authenticationContext_credentialType_s:string,\n  authenticationContext_externalSessionId_s:string,\n  authenticationContext_interface_s:string,\n  authenticationContext_issuerId_s:string,\n  authenticationContext_issuerType_s:string,\n  client_device_s:string,\n  client_geographicalContext_city_s:string,\n  client_geographicalContext_country_s:string,\n  client_geographicalContext_geolocation_lat_d:double,\n  client_geographicalContext_geolocation_lon_d:double,\n  client_geographicalContext_postalCode_s:string,\n  client_geographicalContext_state_s:string,\n  client_id_s:string,\n  client_ipAddress_s:string,\n  client_userAgent_browser_s:string,\n  client_userAgent_os_s:string,\n  client_userAgent_rawUserAgent_s:string,\n  client_zone_s:string,\n  debugContext_debugData_s:string,\n  displayMessage_s:string,\n  eventType_s:string,\n  legacyEventType_s:string,\n  uuid_g:string,\n  outcome_reason_s:string,\n  outcome_result_s:string,\n  request_ipChain_s:string,\n  securityContext_asNumber_d:double,\n  securityContext_asOrg_s:string,\n  securityContext_domain_s:string,\n  securityContext_isp_s:string,\n  securityContext_isProxy_b:bool,\n  severity_s:string,\n  target_s:string,\n  transaction_details_s:string,\n  transaction_id_s:string,\n  transaction_type_s:string,\n  version_s:string\n  )[];\n  let Oktav2_empty = datatable(\n  TimeGenerated:datetime,\n  OriginalActorAlternateId:string,\n  ActorDetailEntry:string,\n  ActorDisplayName:string,\n  OriginalUserId:string,\n  OriginalUserType:string,\n  AuthenticationContextAuthenticationProvider:string,\n  AuthenticationContextAuthenticationStep: real,\n  AuthenticationContextCredentialProvider: string,\n  LogonMethod: string,\n  ActorSessionId: string,\n  AuthenticationContextInterface:string,\n  AuthenticationContextIssuerId:string,\n  AuthenticationContextIssuerType:string,\n  OriginalClientDevice:string,\n  SrcGeoCity:string,\n  SrcGeoCountry:string,\n  SrcGeoLatitude: double,\n  SrcGeoLongtitude: double,\n  SrcGeoPostalCode: string,\n  SrcGeoRegion: string,\n  SrcDvcId: string,\n  SrcIpAddr: string,\n  ActingAppName: string,\n  SrcDvcOs: string,\n  HttpUserAgent: string,\n  SrcZone: string,\n  DebugData: string,\n  EventMessage: string,\n  EventOriginalType: string,\n  LegacyEventType: string,\n  EventOriginalUid: string,\n  EventOriginalResultDetails: string,\n  OriginalOutcomeResult: string,\n  Request: string,\n  SecurityContextAsNumber: real,\n  SecurityContextAsOrg: string,\n  SecurityContextDomain: string,\n  SrcIsp: string,\n  SecurityContextIsProxy: bool,\n  OriginalSeverity: string,\n  OriginalTarget: string,\n  TransactionDetail: string,\n  TransactionId: string,\n  TransactionType: string,\n  Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n  project TimeGenerated,\n  actor_alternateId_s=OriginalActorAlternateId,\n  actor_detailEntry_s=tostring(ActorDetailEntry),\n  actor_displayName_s=ActorDisplayName,\n  actor_id_s=OriginalUserId,\n  actor_type_s=OriginalUserType,\n  authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n  authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n  authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n  authenticationContext_credentialType_s=LogonMethod,\n  authenticationContext_externalSessionId_s=ActorSessionId,\n  authenticationContext_interface_s=AuthenticationContextInterface,\n  authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n  authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n  client_device_s=OriginalClientDevice,\n  client_geographicalContext_city_s=SrcGeoCity,\n  client_geographicalContext_country_s=SrcGeoCountry,\n  client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n  client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n  client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n  client_geographicalContext_state_s=SrcGeoRegion,\n  client_id_s=SrcDvcId,\n  client_ipAddress_s=SrcIpAddr,\n  client_userAgent_browser_s=ActingAppName,\n  client_userAgent_os_s=SrcDvcOs,\n  client_userAgent_rawUserAgent_s=HttpUserAgent,\n  client_zone_s=SrcZone,\n  debugContext_debugData_s=tostring(DebugData),\n  displayMessage_s=EventMessage,\n  eventType_s=EventOriginalType,\n  legacyEventType_s=LegacyEventType,\n  uuid_g=EventOriginalUid,\n  outcome_reason_s=EventOriginalResultDetails,\n  outcome_result_s=OriginalOutcomeResult,\n  request_ipChain_s=tostring(Request),\n  securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n  securityContext_asOrg_s=SecurityContextAsOrg,\n  securityContext_domain_s=SecurityContextDomain,\n  securityContext_isp_s=SrcIsp,\n  securityContext_isProxy_b=SecurityContextIsProxy,\n  severity_s=OriginalSeverity,\n  target_s=tostring(OriginalTarget),\n  transaction_details_s=tostring(TransactionDetail),\n  transaction_id_s=TransactionId,\n  transaction_type_s=TransactionType,\n  version_s = Version;\n  union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n",
+        "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n  actor_alternateId_s:string,\n  actor_detailEntry_s:string,\n  actor_displayName_s:string,\n  actor_id_s:string,\n  actor_type_s:string,\n  authenticationContext_authenticationProvider_s:string,\n  authenticationContext_authenticationStep_d:double,\n  authenticationContext_credentialProvider_s:string,\n  authenticationContext_credentialType_s:string,\n  authenticationContext_externalSessionId_s:string,\n  authenticationContext_interface_s:string,\n  authenticationContext_issuerId_s:string,\n  authenticationContext_issuerType_s:string,\n  client_device_s:string,\n  client_geographicalContext_city_s:string,\n  client_geographicalContext_country_s:string,\n  client_geographicalContext_geolocation_lat_d:double,\n  client_geographicalContext_geolocation_lon_d:double,\n  client_geographicalContext_postalCode_s:string,\n  client_geographicalContext_state_s:string,\n  client_id_s:string,\n  client_ipAddress_s:string,\n  client_userAgent_browser_s:string,\n  client_userAgent_os_s:string,\n  client_userAgent_rawUserAgent_s:string,\n  client_zone_s:string,\n  debugContext_debugData_s:string,\n  displayMessage_s:string,\n  eventType_s:string,\n  legacyEventType_s:string,\n  uuid_g:string,\n  outcome_reason_s:string,\n  outcome_result_s:string,\n  request_ipChain_s:string,\n  securityContext_asNumber_d:double,\n  securityContext_asOrg_s:string,\n  securityContext_domain_s:string,\n  securityContext_isp_s:string,\n  securityContext_isProxy_b:bool,\n  severity_s:string,\n  target_s:string,\n  transaction_details_s:string,\n  transaction_id_s:string,\n  transaction_type_s:string,\n  version_s:string\n  )[];\n  let Oktav2_empty = datatable(\n  TimeGenerated:datetime,\n  OriginalActorAlternateId:string,\n  ActorDetailEntry:dynamic,\n  ActorDisplayName:string,\n  OriginalUserId:string,\n  OriginalUserType:string,\n  AuthenticationContextAuthenticationProvider:string,\n  AuthenticationContextAuthenticationStep: int,\n  AuthenticationContextCredentialProvider: string,\n  LogonMethod: string,\n  ActorSessionId: string,\n  AuthenticationContextInterface:string,\n  AuthenticationContextIssuerId:string,\n  AuthenticationContextIssuerType:string,\n  OriginalClientDevice:string,\n  SrcGeoCity:string,\n  SrcGeoCountry:string,\n  SrcGeoLatitude: double,\n  SrcGeoLongtitude: double,\n  SrcGeoPostalCode: string,\n  SrcGeoRegion: string,\n  SrcDvcId: string,\n  SrcIpAddr: string,\n  ActingAppName: string,\n  SrcDvcOs: string,\n  HttpUserAgent: string,\n  SrcZone: string,\n  DebugData: dynamic,\n  EventMessage: string,\n  EventOriginalType: string,\n  LegacyEventType: string,\n  EventOriginalUid: string,\n  EventOriginalResultDetails: string,\n  OriginalOutcomeResult: string,\n  Request: dynamic,\n  SecurityContextAsNumber: int,\n  SecurityContextAsOrg: string,\n  SecurityContextDomain: string,\n  SrcIsp: string,\n  DomainName: string ,\n  SecurityContextIsProxy: bool,\n  OriginalSeverity: string,\n  OriginalTarget: dynamic,\n  TransactionDetail: dynamic,\n  TransactionId: string,\n  TransactionType: string,\n  Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n  project TimeGenerated,\n  actor_alternateId_s=OriginalActorAlternateId,\n  actor_detailEntry_s=tostring(ActorDetailEntry),\n  domain_s=DomainName,\n  actor_displayName_s=ActorDisplayName,\n  actor_id_s=OriginalUserId,\n  actor_type_s=OriginalUserType,\n  authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n  authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n  authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n  authenticationContext_credentialType_s=LogonMethod,\n  authenticationContext_externalSessionId_s=ActorSessionId,\n  authenticationContext_interface_s=AuthenticationContextInterface,\n  authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n  authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n  client_device_s=OriginalClientDevice,\n  client_geographicalContext_city_s=SrcGeoCity,\n  client_geographicalContext_country_s=SrcGeoCountry,\n  client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n  client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n  client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n  client_geographicalContext_state_s=SrcGeoRegion,\n  client_id_s=SrcDvcId,\n  client_ipAddress_s=SrcIpAddr,\n  client_userAgent_browser_s=ActingAppName,\n  client_userAgent_os_s=SrcDvcOs,\n  client_userAgent_rawUserAgent_s=HttpUserAgent,\n  client_zone_s=SrcZone,\n  debugContext_debugData_s=tostring(DebugData),\n  displayMessage_s=EventMessage,\n  eventType_s=EventOriginalType,\n  legacyEventType_s=LegacyEventType,\n  uuid_g=EventOriginalUid,\n  outcome_reason_s=EventOriginalResultDetails,\n  outcome_result_s=OriginalOutcomeResult,\n  request_ipChain_s=tostring(Request),\n  securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n  securityContext_asOrg_s=SecurityContextAsOrg,\n  securityContext_domain_s=SecurityContextDomain,\n  securityContext_isp_s=SrcIsp,\n  securityContext_isProxy_b=SecurityContextIsProxy,\n  severity_s=OriginalSeverity,\n  target_s=tostring(OriginalTarget),\n  transaction_details_s=tostring(TransactionDetail),\n  transaction_id_s=TransactionId,\n  transaction_type_s=TransactionType,\n  version_s = Version;\n  union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n",
         "functionParameters": "",
         "version": 2,
         "tags": [
@@ -6371,7 +6370,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.9",
+        "version": "3.0.10",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Okta Single Sign-On",
diff --git a/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml b/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml
index e6e5b2ff38a..e7d97bfbb9e 100644
--- a/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml	
+++ b/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml	
@@ -1,7 +1,7 @@
 id: ee884976-418c-472d-8a91-3533f4aa15d0
 Function:
   Title: Backward Compatibility Parser for Okta SSO
-  Version: '1.0.1'
+  Version: '1.0.2'
   LastUpdated: '2023-09-07'
 Category: Microsoft Sentinel Parser
 FunctionName: OktaSSO
@@ -58,12 +58,12 @@ FunctionQuery: |
         let Oktav2_empty = datatable(
         TimeGenerated:datetime,
         OriginalActorAlternateId:string,
-        ActorDetailEntry:string,
+        ActorDetailEntry:dynamic,
         ActorDisplayName:string,
         OriginalUserId:string,
         OriginalUserType:string,
         AuthenticationContextAuthenticationProvider:string,
-        AuthenticationContextAuthenticationStep: real,
+        AuthenticationContextAuthenticationStep: int,
         AuthenticationContextCredentialProvider: string,
         LogonMethod: string,
         ActorSessionId: string,
@@ -83,22 +83,23 @@ FunctionQuery: |
         SrcDvcOs: string,
         HttpUserAgent: string,
         SrcZone: string,
-        DebugData: string,
+        DebugData: dynamic,
         EventMessage: string,
         EventOriginalType: string,
         LegacyEventType: string,
         EventOriginalUid: string,
         EventOriginalResultDetails: string,
         OriginalOutcomeResult: string,
-        Request: string,
-        SecurityContextAsNumber: real,
+        Request: dynamic,
+        SecurityContextAsNumber: int,
         SecurityContextAsOrg: string,
         SecurityContextDomain: string,
         SrcIsp: string,
+        DomainName: string ,
         SecurityContextIsProxy: bool,
         OriginalSeverity: string,
-        OriginalTarget: string,
-        TransactionDetail: string,
+        OriginalTarget: dynamic,
+        TransactionDetail: dynamic,
         TransactionId: string,
         TransactionType: string,
         Version: string
@@ -107,6 +108,7 @@ FunctionQuery: |
         project TimeGenerated,
         actor_alternateId_s=OriginalActorAlternateId,
         actor_detailEntry_s=tostring(ActorDetailEntry),
+        domain_s=DomainName,
         actor_displayName_s=ActorDisplayName,
         actor_id_s=OriginalUserId,
         actor_type_s=OriginalUserType,
diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md
index 40ebbe9d170..7043f9018d1 100644
--- a/Solutions/Okta Single Sign-On/ReleaseNotes.md	
+++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                            |
 |-------------|--------------------------------|---------------------------------------------------------------|
+| 3.0.10      | 08-11-2024                     | Updated **Parser** to fix the schema                          |
 | 3.0.9       | 17-10-2024                     | Updated package to fix connectivity of CCP connector |
 | 3.0.8       | 14-08-2024                     | Data Connector Globally Available         |
 | 3.0.7       | 25-04-2024                     | Repackaged for parser issue with old names       |
diff --git a/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py b/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py
index 698537110c0..94aef01a2a3 100644
--- a/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py	
+++ b/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py	
@@ -102,7 +102,7 @@ def get_cursor_by_group(sc, sid, group_name, instance_name):
     return response.data.value
 
 def get_cursor_by_partition(client, stream_id, partition):
-    print("Creating a cursor for partition {}".format(partition))
+    logging.info("Creating a cursor for partition {}".format(partition))
     cursor_details = oci.streaming.models.CreateCursorDetails(
         partition=partition,
         type=oci.streaming.models.CreateCursorDetails.TYPE_TRIM_HORIZON)
diff --git a/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip b/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip
index 7da825d6bf7..7958dd5c045 100644
Binary files a/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip and b/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip differ
diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml
index 5aba013bee0..6c6bfcbe3d8 100644
--- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -72,5 +66,5 @@ entityMappings:
         columnName: FileHashValue
       - identifier: Algorithm
         columnName: FileHashType
-version: 1.3.5
+version: 1.3.6
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml
index b34d5bfb4aa..110e00a0d2f 100644
--- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml	
@@ -10,12 +10,6 @@ description: |
 severity: Low
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -68,5 +62,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml
index 9c1c9fa0848..af0bd93a483 100644
--- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml	
@@ -7,12 +7,6 @@ description: |
 severity: Low
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -68,5 +62,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.6
+version: 1.0.7
 kind: Scheduled
diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml
index db90df11763..28aa6900ad2 100644
--- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml	
@@ -7,12 +7,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -59,5 +53,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIP
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml b/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml
index 396e79a855a..288f1461538 100644
--- a/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml	
@@ -6,12 +6,6 @@ description: |
 severity: Low
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -64,4 +58,4 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.4
\ No newline at end of file
+version: 1.0.5
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml b/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml
index 9364a983912..01614a828e3 100644
--- a/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml	
+++ b/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml	
@@ -4,12 +4,6 @@ description: |
   'Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.
   Consider updating the firewall policies to block the connections.'
 requiredDataConnectors:
-  - connectorId: PaloAltoNetworks
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: PaloAltoNetworksAma
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -116,4 +110,4 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: DestinationIP
-version: 1.0.1
+version: 1.0.2
diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip
index c13ebb456b9..06971f5bcb2 100644
Binary files a/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip and b/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip differ
diff --git a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
index 45288c8c705..4bf8c64ce83 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for PaloAlto-PAN-OS. You can get PaloAlto-PAN-OS CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -246,7 +222,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+                  "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -260,7 +236,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+                  "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
index e7637667c3c..e680cbaff9d 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
@@ -52,31 +52,13 @@
     "_solutionVersion": "3.0.7",
     "solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
     "_solutionId": "[variables('solutionId')]",
-    "uiConfigId1": "PaloAltoNetworks",
-    "_uiConfigId1": "[variables('uiConfigId1')]",
-    "dataConnectorContentId1": "PaloAltoNetworks",
-    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
-    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-    "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
-    "dataConnectorVersion1": "1.0.0",
-    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
-    "uiConfigId2": "PaloAltoNetworksAma",
-    "_uiConfigId2": "[variables('uiConfigId2')]",
-    "dataConnectorContentId2": "PaloAltoNetworksAma",
-    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
-    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-    "_dataConnectorId2": "[variables('dataConnectorId2')]",
-    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
-    "dataConnectorVersion2": "1.0.0",
-    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "huntingQueryObject1": {
-      "huntingQueryVersion1": "1.0.1",
+      "huntingQueryVersion1": "1.0.2",
       "_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59",
       "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]"
     },
     "huntingQueryObject2": {
-      "huntingQueryVersion2": "1.0.4",
+      "huntingQueryVersion2": "1.0.5",
       "_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d",
       "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]"
     },
@@ -94,32 +76,32 @@
     "_workbookContentId2": "[variables('workbookContentId2')]",
     "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.2",
+      "analyticRuleVersion1": "1.0.3",
       "_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.2')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.3')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.3.5",
+      "analyticRuleVersion2": "1.3.6",
       "_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.5')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.6')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.4",
+      "analyticRuleVersion3": "1.0.5",
       "_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.4')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.5')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "1.0.6",
+      "analyticRuleVersion4": "1.0.7",
       "_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f",
       "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]",
       "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]",
-      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.6')))]"
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.7')))]"
     },
     "PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
     "_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
@@ -197,708 +179,6 @@
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PaloAlto-PAN-OS data connector with template version 3.0.7",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId1')]",
-                  "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
-                  "publisher": "Palo Alto Networks",
-                  "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "Palo Alto Networks",
-                      "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "All logs",
-                      "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | sort by TimeGenerated"
-                    },
-                    {
-                      "description": "THREAT activity",
-                      "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | where Activity == \"THREAT\"\n            | sort by TimeGenerated"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
-                      ]
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (PaloAlto)",
-                      "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "read": true,
-                          "write": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-                      "innerSteps": [
-                        {
-                          "title": "1.1 Select or create a Linux machine",
-                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                        },
-                        {
-                          "title": "1.2 Install the CEF collector on the Linux machine",
-                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                          "instructions": [
-                            {
-                              "parameters": {
-                                "fillWith": [
-                                  "WorkspaceId",
-                                  "PrimaryKey"
-                                ],
-                                "label": "Run the following command to install and apply the CEF collector:",
-                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                              },
-                              "type": "CopyableLabel"
-                            }
-                          ]
-                        }
-                      ],
-                      "title": "1. Linux Syslog agent configuration"
-                    },
-                    {
-                      "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding)  and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure)  steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1.  Set the Syslog server format to  **BSD**.\n\n2.  The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
-                      "title": "2. Forward Palo Alto Networks logs to Syslog agent"
-                    },
-                    {
-                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "fillWith": [
-                              "WorkspaceId"
-                            ],
-                            "label": "Run the following command to validate your connectivity:",
-                            "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                          },
-                          "type": "CopyableLabel"
-                        }
-                      ],
-                      "title": "3. Validate connection"
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
-                    }
-                  ],
-                  "metadata": {
-                    "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
-                    "version": "1.0.0",
-                    "kind": "dataConnector",
-                    "source": {
-                      "kind": "community"
-                    },
-                    "author": {
-                      "name": "Palo Alto Networks"
-                    },
-                    "support": {
-                      "name": "Palo Alto Networks",
-                      "link": "https://www.paloaltonetworks.com/company/contact-support",
-                      "tier": "developer"
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-                "contentId": "[variables('_dataConnectorContentId1')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PaloAlto-PAN-OS",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
-        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
-        "id": "[variables('_dataConnectorcontentProductId1')]",
-        "version": "[variables('dataConnectorVersion1')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId1')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PaloAlto-PAN-OS",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
-          "publisher": "Palo Alto Networks",
-          "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "Palo Alto Networks",
-              "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (PaloAlto)",
-              "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "All logs",
-              "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | sort by TimeGenerated"
-            },
-            {
-              "description": "THREAT activity",
-              "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | where Activity == \"THREAT\"\n            | sort by TimeGenerated"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "read": true,
-                  "write": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-              "innerSteps": [
-                {
-                  "title": "1.1 Select or create a Linux machine",
-                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                },
-                {
-                  "title": "1.2 Install the CEF collector on the Linux machine",
-                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                  "instructions": [
-                    {
-                      "parameters": {
-                        "fillWith": [
-                          "WorkspaceId",
-                          "PrimaryKey"
-                        ],
-                        "label": "Run the following command to install and apply the CEF collector:",
-                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                      },
-                      "type": "CopyableLabel"
-                    }
-                  ]
-                }
-              ],
-              "title": "1. Linux Syslog agent configuration"
-            },
-            {
-              "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding)  and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure)  steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1.  Set the Syslog server format to  **BSD**.\n\n2.  The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
-              "title": "2. Forward Palo Alto Networks logs to Syslog agent"
-            },
-            {
-              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-              "instructions": [
-                {
-                  "parameters": {
-                    "fillWith": [
-                      "WorkspaceId"
-                    ],
-                    "label": "Run the following command to validate your connectivity:",
-                    "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                  },
-                  "type": "CopyableLabel"
-                }
-              ],
-              "title": "3. Validate connection"
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId1')]"
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PaloAlto-PAN-OS data connector with template version 3.0.7",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion2')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId2')]",
-                  "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
-                  "publisher": "Palo Alto Networks",
-                  "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "Palo Alto Networks",
-                      "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "All logs",
-                      "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | sort by TimeGenerated"
-                    },
-                    {
-                      "description": "THREAT activity",
-                      "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | where Activity == \"THREAT\"\n            | sort by TimeGenerated"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
-                      ]
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (PaloAlto)",
-                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "read": true,
-                          "write": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ],
-                    "customs": [
-                      {
-                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-                      },
-                      {
-                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "title": "1. Kindly follow the steps to configure the data connector",
-                            "instructionSteps": [
-                              {
-                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                              },
-                              {
-                                "title": "Step B. Forward Palo Alto Networks logs to Syslog agent",
-                                "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding)  and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure)  steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1.  Set the Syslog server format to  **BSD**.\n\n2.  The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
-                              },
-                              {
-                                "title": "Step C. Validate connection",
-                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                                "instructions": [
-                                  {
-                                    "parameters": {
-                                      "label": "Run the following command to validate your connectivity:",
-                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                                    },
-                                    "type": "CopyableLabel"
-                                  }
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "InstructionStepsGroup"
-                        }
-                      ]
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "2. Secure your machine "
-                    }
-                  ],
-                  "metadata": {
-                    "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
-                    "version": "1.0.0",
-                    "kind": "dataConnector",
-                    "source": {
-                      "kind": "community"
-                    },
-                    "author": {
-                      "name": "Palo Alto Networks"
-                    },
-                    "support": {
-                      "name": "Palo Alto Networks",
-                      "link": "https://www.paloaltonetworks.com/company/contact-support",
-                      "tier": "developer"
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-                "contentId": "[variables('_dataConnectorContentId2')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PaloAlto-PAN-OS",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
-        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
-        "id": "[variables('_dataConnectorcontentProductId2')]",
-        "version": "[variables('dataConnectorVersion2')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId2')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion2')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PaloAlto-PAN-OS",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
-          "publisher": "Palo Alto Networks",
-          "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "Palo Alto Networks",
-              "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (PaloAlto)",
-              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "All logs",
-              "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | sort by TimeGenerated"
-            },
-            {
-              "description": "THREAT activity",
-              "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n            | where Activity == \"THREAT\"\n            | sort by TimeGenerated"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "read": true,
-                  "write": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ],
-            "customs": [
-              {
-                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-              },
-              {
-                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "instructions": [
-                {
-                  "parameters": {
-                    "title": "1. Kindly follow the steps to configure the data connector",
-                    "instructionSteps": [
-                      {
-                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                      },
-                      {
-                        "title": "Step B. Forward Palo Alto Networks logs to Syslog agent",
-                        "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding)  and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure)  steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1.  Set the Syslog server format to  **BSD**.\n\n2.  The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
-                      },
-                      {
-                        "title": "Step C. Validate connection",
-                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                        "instructions": [
-                          {
-                            "parameters": {
-                              "label": "Run the following command to validate your connectivity:",
-                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                            },
-                            "type": "CopyableLabel"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "type": "InstructionStepsGroup"
-                }
-              ]
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "2. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId2')]"
-        }
-      }
-    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -975,9 +255,9 @@
         "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
         "contentKind": "HuntingQuery",
         "displayName": "Palo Alto - high-risk ports",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
-        "version": "1.0.1"
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+        "version": "1.0.2"
       }
     },
     {
@@ -1060,9 +340,9 @@
         "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
         "contentKind": "HuntingQuery",
         "displayName": "Palo Alto - potential beaconing detected",
-        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]",
-        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]",
-        "version": "1.0.4"
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]",
+        "version": "1.0.5"
       }
     },
     {
@@ -1285,18 +565,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoNetworks",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoNetworksAma",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -1408,18 +676,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoNetworks",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoNetworksAma",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -1574,18 +830,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoNetworks",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoNetworksAma",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -1709,18 +953,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoNetworks",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoNetworksAma",
-                    "dataTypes": [
-                      "CommonSecurityLog"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -9933,7 +9165,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "PaloAlto-PAN-OS",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.paloaltonetworks.com/network-security/next-generation-firewall\">Palo Alto Networks (Firewall)</a> Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2, <strong>Custom Azure Logic Apps Connectors:</strong> 2, <strong>Playbooks:</strong> 7</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.paloaltonetworks.com/network-security/next-generation-firewall\">Palo Alto Networks (Firewall)</a> Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connector:</strong> 1<strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2, <strong>Custom Azure Logic Apps Connectors:</strong> 2, <strong>Playbooks:</strong> 7</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -9957,16 +9189,6 @@
         },
         "dependencies": {
           "criteria": [
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId1')]",
-              "version": "[variables('dataConnectorVersion1')]"
-            },
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId2')]",
-              "version": "[variables('dataConnectorVersion2')]"
-            },
             {
               "kind": "HuntingQuery",
               "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
index 0c0d5eef8f2..ddaabecabd5 100644
--- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
+++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
@@ -1,6 +1,7 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.7 	  | 08-01-2024 					   |   Updated **Analytic Rule** for entity mappings					|
+| 3.0.7 	  | 11-11-2024 					   |   Removed Deprecated **Data Connector**                            |
+|             |                                |   Updated **Analytic Rule** for entity mappings                    |
 | 3.0.6 	  | 12-07-2024 					   |   Deprecated **Data Connector** 									|
 | 3.0.5       | 30-04-2024                     |   Updated the **Data Connector** to fix conectivity criteria query |
 | 3.0.4       | 16-04-2024                     |   Fixed existing rule for sites with private IP addresses other than 10/8 |
diff --git a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json
index 93a2778e1f6..fb561bd5ac9 100644
--- a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json
+++ b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json
@@ -3,10 +3,6 @@
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">",
   "Description": "The [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
-  "Data Connectors": [
-    "Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json",
-	"Solutions/PaloAlto-PAN-OS/Data Connectors/template_PaloAltoNetworksAMA.json"
-	],
   "Hunting Queries": [
     "Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml",
     "Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml"
diff --git a/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml b/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml
new file mode 100644
index 00000000000..3815dbd9549
--- /dev/null
+++ b/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml	
@@ -0,0 +1,44 @@
+id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf
+name: External Fabric Module XFM1 is unhealthy
+version: 1.0.0
+kind: NRT
+description: External Fabric Module XFM1 is unhealthy
+severity: High
+tactics:
+- Execution
+relevantTechniques:
+- T0871
+query: |2-
+  Syslog
+  | where SyslogMessage has "purity.alert"
+  | extend Message = replace_string(SyslogMessage, "#012", "\n")
+  | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
+  | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
+  | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
+  | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
+  | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
+  | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
+  | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
+  | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
+  | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
+  | project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
+  | where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"
+entityMappings:
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: HostIP
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
\ No newline at end of file
diff --git a/Solutions/Pure Storage/Data/Solution_PureStorage.json b/Solutions/Pure Storage/Data/Solution_PureStorage.json
index 97f19172c54..bd07303b5f0 100644
--- a/Solutions/Pure Storage/Data/Solution_PureStorage.json	
+++ b/Solutions/Pure Storage/Data/Solution_PureStorage.json	
@@ -3,15 +3,20 @@
     "Author": "Pure Storage - support@purestorage.com",
     "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">",
     "Description": "Solution for Microsoft Sentinel to ingest logs from PureStorage arrays",
-    "Parsers": ["Parsers/PureStorageParser.yaml"],
+    "Parsers": [
+      "Parsers/PureStorageFlashArrayParser.yaml",
+      "Parsers/PureStorageFlashBladeParser.yaml"
+    ],
     "Analytic Rules": [
       "Analytic Rules/PureFailedLogin.yaml",
-      "Analytic Rules/PureControllerFailed.yaml"
+      "Analytic Rules/PureControllerFailed.yaml",
+      "Analytic Rules/FB-FabricModuleUnhealthy.yaml"
      ],
     "Playbooks": [
       "Playbooks/Pure-Storage-User-Delete/azuredeploy.json",
       "Playbooks/Pure-Storage-Volumes-Snapshot/azuredeploy.json",
-      "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json"
+      "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json",
+      "Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json"
     ],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pure Storage",
     "Version": "3.0.1",
diff --git a/Solutions/Pure Storage/Package/3.0.3.zip b/Solutions/Pure Storage/Package/3.0.3.zip
new file mode 100644
index 00000000000..487b8decaea
Binary files /dev/null and b/Solutions/Pure Storage/Package/3.0.3.zip differ
diff --git a/Solutions/Pure Storage/Package/createUiDefinition.json b/Solutions/Pure Storage/Package/createUiDefinition.json
index e841a042439..103eb8dfd91 100644
--- a/Solutions/Pure Storage/Package/createUiDefinition.json	
+++ b/Solutions/Pure Storage/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 2, **Analytic Rules:** 3, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -104,6 +104,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "External Fabric Module XFM1 is unhealthy",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "External Fabric Module XFM1 is unhealthy"
+                }
+              }
+            ]
           }
         ]
       },
diff --git a/Solutions/Pure Storage/Package/mainTemplate.json b/Solutions/Pure Storage/Package/mainTemplate.json
index b1b23de1851..b55ed3578be 100644
--- a/Solutions/Pure Storage/Package/mainTemplate.json	
+++ b/Solutions/Pure Storage/Package/mainTemplate.json	
@@ -33,15 +33,22 @@
     "email": "support@purestorage.com",
     "_email": "[variables('email')]",
     "_solutionName": "Pure Storage",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "purestoragemarketplaceadmin.microsoft-sentinel-solution-purestorage",
     "_solutionId": "[variables('solutionId')]",
     "parserObject1": {
-      "_parserName1": "[concat(parameters('workspace'),'/','Pure Storage Parser')]",
-      "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]",
-      "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageParserV1-Parser')))]",
+      "_parserName1": "[concat(parameters('workspace'),'/','PureStorageFlashArrayParserV1')]",
+      "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]",
+      "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageFlashArrayParserV1-Parser')))]",
       "parserVersion1": "1.0.0",
-      "parserContentId1": "PureStorageParserV1-Parser"
+      "parserContentId1": "PureStorageFlashArrayParserV1-Parser"
+    },
+    "parserObject2": {
+      "_parserName2": "[concat(parameters('workspace'),'/','PureStorageFlashBladeParserV1')]",
+      "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]",
+      "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageFlashBladeParserV1-Parser')))]",
+      "parserVersion2": "1.0.0",
+      "parserContentId2": "PureStorageFlashBladeParserV1-Parser"
     },
     "analyticRuleObject1": {
       "analyticRuleVersion1": "1.0.0",
@@ -57,32 +64,47 @@
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c317b007-84e7-4449-93f4-4444f6638fd0')))]",
       "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c317b007-84e7-4449-93f4-4444f6638fd0','-', '1.0.0')))]"
     },
-    "Pure-Storage-User-Delete": "Pure-Storage-User-Delete",
-    "_Pure-Storage-User-Delete": "[variables('Pure-Storage-User-Delete')]",
+    "analyticRuleObject3": {
+      "analyticRuleVersion3": "1.0.0",
+      "_analyticRulecontentId3": "a8130dcc-3617-41c0-a7ac-5f352bcfffaf",
+      "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8130dcc-3617-41c0-a7ac-5f352bcfffaf')]",
+      "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8130dcc-3617-41c0-a7ac-5f352bcfffaf')))]",
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8130dcc-3617-41c0-a7ac-5f352bcfffaf','-', '1.0.0')))]"
+    },
+    "Pure-Storage-FlashBlade-File-System-Snapshot": "Pure-Storage-FlashBlade-File-System-Snapshot",
+    "_Pure-Storage-FlashBlade-File-System-Snapshot": "[variables('Pure-Storage-FlashBlade-File-System-Snapshot')]",
     "playbookVersion1": "1.0",
-    "playbookContentId1": "Pure-Storage-User-Delete",
+    "playbookContentId1": "Pure-Storage-FlashBlade-File-System-Snapshot",
     "_playbookContentId1": "[variables('playbookContentId1')]",
     "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
     "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
     "blanks": "[replace('b', 'b', '')]",
-    "Pure-Storage-Volumes-Snapshot": "Pure-Storage-Volumes-Snapshot",
-    "_Pure-Storage-Volumes-Snapshot": "[variables('Pure-Storage-Volumes-Snapshot')]",
+    "Pure-Storage-User-Delete": "Pure-Storage-User-Delete",
+    "_Pure-Storage-User-Delete": "[variables('Pure-Storage-User-Delete')]",
     "playbookVersion2": "1.0",
-    "playbookContentId2": "Pure-Storage-Volumes-Snapshot",
+    "playbookContentId2": "Pure-Storage-User-Delete",
     "_playbookContentId2": "[variables('playbookContentId2')]",
     "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
     "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
     "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
-    "Pure-Storage-Protection-Groups-Snapshot": "Pure-Storage-Protection-Groups-Snapshot",
-    "_Pure-Storage-Protection-Groups-Snapshot": "[variables('Pure-Storage-Protection-Groups-Snapshot')]",
+    "Pure-Storage-Volumes-Snapshot": "Pure-Storage-Volumes-Snapshot",
+    "_Pure-Storage-Volumes-Snapshot": "[variables('Pure-Storage-Volumes-Snapshot')]",
     "playbookVersion3": "1.0",
-    "playbookContentId3": "Pure-Storage-Protection-Groups-Snapshot",
+    "playbookContentId3": "Pure-Storage-Volumes-Snapshot",
     "_playbookContentId3": "[variables('playbookContentId3')]",
     "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
     "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
     "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+    "Pure-Storage-Protection-Groups-Snapshot": "Pure-Storage-Protection-Groups-Snapshot",
+    "_Pure-Storage-Protection-Groups-Snapshot": "[variables('Pure-Storage-Protection-Groups-Snapshot')]",
+    "playbookVersion4": "1.0",
+    "playbookContentId4": "Pure-Storage-Protection-Groups-Snapshot",
+    "_playbookContentId4": "[variables('playbookContentId4')]",
+    "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
+    "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+    "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
@@ -95,7 +117,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PureStorageParser Data Parser with template version 3.0.2",
+        "description": "PureStorageFlashArrayParser Data Parser with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -109,16 +131,16 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Pure Storage Parser",
-                "category": "PureStorageParser",
-                "functionAlias": "PureStorageParserV1",
+                "displayName": "Pure Storage FlashArray Parser",
+                "category": "PureStorageFlashArrayParser",
+                "functionAlias": "PureStorageFlashArrayParserV1",
                 "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n",
                 "functionParameters": "",
                 "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "Parser to extract Pure Storage related info from log"
+                    "value": "Parser to extract Pure Storage FlashArray related info from log"
                   }
                 ]
               }
@@ -131,7 +153,7 @@
                 "[variables('parserObject1')._parserId1]"
               ],
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]",
                 "contentId": "[variables('parserObject1').parserContentId1]",
                 "kind": "Parser",
                 "version": "[variables('parserObject1').parserVersion1]",
@@ -161,7 +183,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('parserObject1').parserContentId1]",
         "contentKind": "Parser",
-        "displayName": "Pure Storage Parser",
+        "displayName": "Pure Storage FlashArray Parser",
         "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
         "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
         "version": "[variables('parserObject1').parserVersion1]"
@@ -174,16 +196,16 @@
       "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
-        "displayName": "Pure Storage Parser",
-        "category": "PureStorageParser",
-        "functionAlias": "PureStorageParserV1",
+        "displayName": "Pure Storage FlashArray Parser",
+        "category": "PureStorageFlashArrayParser",
+        "functionAlias": "PureStorageFlashArrayParserV1",
         "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n",
         "functionParameters": "",
         "version": 2,
         "tags": [
           {
             "name": "description",
-            "value": "Parser to extract Pure Storage related info from log"
+            "value": "Parser to extract Pure Storage FlashArray related info from log"
           }
         ]
       }
@@ -197,7 +219,7 @@
         "[variables('parserObject1')._parserId1]"
       ],
       "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]",
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]",
         "contentId": "[variables('parserObject1').parserContentId1]",
         "kind": "Parser",
         "version": "[variables('parserObject1').parserVersion1]",
@@ -218,6 +240,138 @@
         }
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserObject2').parserTemplateSpecName2]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "PureStorageFlashBladeParser Data Parser with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('parserObject2').parserVersion2]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[variables('parserObject2')._parserName2]",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Pure Storage FlashBlade Parser",
+                "category": "PureStorageFlashBladeParser",
+                "functionAlias": "PureStorageFlashBladeParserV1",
+                "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n",
+                "functionParameters": "",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "Parser to extract Pure Storage FlashBlade related info from log"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]",
+              "dependsOn": [
+                "[variables('parserObject2')._parserId2]"
+              ],
+              "properties": {
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]",
+                "contentId": "[variables('parserObject2').parserContentId2]",
+                "kind": "Parser",
+                "version": "[variables('parserObject2').parserVersion2]",
+                "source": {
+                  "name": "Pure Storage",
+                  "kind": "Solution",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Pure Storage",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "purestoragemarketplaceadmin",
+                  "email": "support@purestorage.com",
+                  "tier": "Partner",
+                  "link": "https://support.purestorage.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('parserObject2').parserContentId2]",
+        "contentKind": "Parser",
+        "displayName": "Pure Storage FlashBlade Parser",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
+        "version": "[variables('parserObject2').parserVersion2]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2022-10-01",
+      "name": "[variables('parserObject2')._parserName2]",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "eTag": "*",
+        "displayName": "Pure Storage FlashBlade Parser",
+        "category": "PureStorageFlashBladeParser",
+        "functionAlias": "PureStorageFlashBladeParserV1",
+        "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n",
+        "functionParameters": "",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": "Parser to extract Pure Storage FlashBlade related info from log"
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2022-01-01-preview",
+      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]",
+      "dependsOn": [
+        "[variables('parserObject2')._parserId2]"
+      ],
+      "properties": {
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]",
+        "contentId": "[variables('parserObject2').parserContentId2]",
+        "kind": "Parser",
+        "version": "[variables('parserObject2').parserVersion2]",
+        "source": {
+          "kind": "Solution",
+          "name": "Pure Storage",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Pure Storage",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "purestoragemarketplaceadmin",
+          "email": "support@purestorage.com",
+          "tier": "Partner",
+          "link": "https://support.purestorage.com"
+        }
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -227,7 +381,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PureFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PureFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -249,7 +403,6 @@
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "status": "Available",
-                "requiredDataConnectors": [],
                 "tactics": [
                   "CredentialAccess"
                 ],
@@ -258,168 +411,614 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "IP",
+                    "fieldMappings": [
+                      {
+                        "columnName": "HostIP",
+                        "identifier": "Address"
+                      }
+                    ]
+                  },
+                  {
+                    "entityType": "Account",
+                    "fieldMappings": [
+                      {
+                        "columnName": "PureLogin",
+                        "identifier": "Name"
+                      }
+                    ]
+                  },
+                  {
+                    "entityType": "Host",
+                    "fieldMappings": [
+                      {
+                        "columnName": "PureArrayName",
+                        "identifier": "HostName"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDynamicProperties": []
+                },
+                "incidentConfiguration": {
+                  "groupingConfiguration": {
+                    "enabled": false,
+                    "lookbackDuration": "PT5H",
+                    "matchingMethod": "AllEntities",
+                    "reopenClosedIncident": false
+                  },
+                  "createIncident": true
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+              "properties": {
+                "description": "Pure Storage Analytics Rule 1",
+                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Pure Storage",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Pure Storage",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "purestoragemarketplaceadmin",
+                  "email": "support@purestorage.com",
+                  "tier": "Partner",
+                  "link": "https://support.purestorage.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Pure Failed Login",
+        "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+        "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+        "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "PureControllerFailed_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "NRT",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Detect controller failure and take appropriate response action.",
+                "displayName": "Pure Controller Failed",
+                "enabled": false,
+                "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "status": "Available",
+                "tactics": [
+                  "Execution"
+                ],
+                "techniques": [
+                  "T0871"
+                ],
+                "entityMappings": [
+                  {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "HostIP"
+                        "columnName": "HostIP",
+                        "identifier": "Address"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDynamicProperties": []
+                },
+                "incidentConfiguration": {
+                  "groupingConfiguration": {
+                    "enabled": false,
+                    "lookbackDuration": "PT5H",
+                    "matchingMethod": "AllEntities",
+                    "reopenClosedIncident": false
+                  },
+                  "createIncident": true
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+              "properties": {
+                "description": "Pure Storage Analytics Rule 2",
+                "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+                "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Pure Storage",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Pure Storage",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "purestoragemarketplaceadmin",
+                  "email": "support@purestorage.com",
+                  "tier": "Partner",
+                  "link": "https://support.purestorage.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Pure Controller Failed",
+        "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+        "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+        "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "FB-FabricModuleUnhealthy_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "NRT",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "External Fabric Module XFM1 is unhealthy",
+                "displayName": "External Fabric Module XFM1 is unhealthy",
+                "enabled": false,
+                "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n| where PureMessage matches regex @\"(External Fabric Module XFM1 is unhealthy)\"",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "status": "Available",
+                "tactics": [
+                  "Execution"
+                ],
+                "techniques": [
+                  "T0871"
+                ],
+                "entityMappings": [
+                  {
+                    "entityType": "IP",
+                    "fieldMappings": [
+                      {
+                        "columnName": "HostIP",
+                        "identifier": "Address"
+                      }
+                    ]
+                  }
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "incidentConfiguration": {
+                  "groupingConfiguration": {
+                    "enabled": false,
+                    "lookbackDuration": "5h",
+                    "matchingMethod": "AllEntities",
+                    "reopenClosedIncident": false
+                  },
+                  "createIncident": true
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
+              "properties": {
+                "description": "Pure Storage Analytics Rule 3",
+                "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+                "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Pure Storage",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Pure Storage",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "purestoragemarketplaceadmin",
+                  "email": "support@purestorage.com",
+                  "tier": "Partner",
+                  "link": "https://support.purestorage.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "External Fabric Module XFM1 is unhealthy",
+        "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+        "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+        "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('playbookTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Pure-Storage-File-System-Snapshot-WF Playbook with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('playbookVersion1')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Pure-Storage-File-System-Snapshot-WF",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzuresentinelConnectionName": "[[concat('Azuresentinel-', parameters('PlaybookName'))]",
+            "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
+          "resources": [
+            {
+              "properties": {
+                "provisioningState": "Succeeded",
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_incident": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "path": "/incident-creation"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Entities_-_Get_Accounts": {
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                        "path": "/entities/account"
+                      }
+                    },
+                    "Entities_-_Get_IPs": {
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                        "path": "/entities/ip"
+                      }
+                    },
+                    "IP_Loop": {
+                      "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+                      "actions": {
+                        "Get_secret": {
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['keyvault']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/secrets/@{encodeURIComponent(replace(items('IP_Loop')?['Address'], '.', '-'))}/value"
+                          }
+                        },
+                        "Fetching_API_version": {
+                          "runAfter": {
+                            "Get_secret": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "uri": "https://@{item()?['Address']}/api/api_version",
+                            "method": "GET"
+                          },
+                          "runtimeConfiguration": {
+                            "contentTransfer": {
+                              "transferMode": "Chunked"
+                            }
+                          }
+                        },
+                        "Retrieving_auth_token": {
+                          "runAfter": {
+                            "Fetching_API_version": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "uri": "https://@{item()?['Address']}/api/login",
+                            "method": "POST",
+                            "headers": {
+                              "api-token": "@{body('Get_secret')?['value']}"
+                            }
+                          },
+                          "runtimeConfiguration": {
+                            "contentTransfer": {
+                              "transferMode": "Chunked"
+                            }
+                          }
+                        },
+                        "Get_FileSystem_list": {
+                          "runAfter": {
+                            "Retrieving_auth_token": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['keyvault']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/secrets/@{encodeURIComponent(concat(replace(items('IP_Loop')?['Address'], '.', '-'),'-filesystem'))}/value"
+                          }
+                        },
+                        "FileSystem_snapshot": {
+                          "runAfter": {
+                            "Get_FileSystem_list": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "uri": "https://@{item()?['Address']}/api/@{last(body('Fetching_API_version')?['versions'])}/file-system-snapshots",
+                            "method": "POST",
+                            "headers": {
+                              "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}"
+                            },
+                            "queries": {
+                              "source_names": "@{body('Get_FileSystem_list')?['value']}"
+                            }
+                          },
+                          "runtimeConfiguration": {
+                            "contentTransfer": {
+                              "transferMode": "Chunked"
+                            }
+                          }
+                        },
+                        "Logout_of_the_FlashBlade": {
+                          "runAfter": {
+                            "FileSystem_snapshot": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "uri": "https://@{item()?['Address']}/api/logout",
+                            "method": "POST",
+                            "headers": {
+                              "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}"
+                            }
+                          },
+                          "runtimeConfiguration": {
+                            "contentTransfer": {
+                              "transferMode": "Chunked"
+                            }
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "Entities_-_Get_IPs": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
+                  }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzuresentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]"
+                      },
+                      "keyvault": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+                        "connectionName": "[[variables('KeyvaultConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      }
+                    }
+                  }
+                },
+                "accessControl": {
+                  "triggers": {
+                    "allowedCallerIpAddresses": [
+                      {
+                        "addressRange": "10.21.241.30-10.21.241.37"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
-                  {
-                    "fieldMappings": [
+                  "contents": {
+                    "allowedCallerIpAddresses": [
                       {
-                        "identifier": "Name",
-                        "columnName": "PureLogin"
+                        "addressRange": "10.21.241.30-10.21.241.37"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
-                  {
-                    "fieldMappings": [
+                  "actions": {
+                    "allowedCallerIpAddresses": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "PureArrayName"
+                        "addressRange": "10.21.241.30-10.21.241.37"
                       }
-                    ],
-                    "entityType": "Host"
-                  }
-                ],
-                "eventGroupingSettings": {
-                  "aggregationKind": "SingleAlert"
-                },
-                "alertDetailsOverride": {
-                  "alertDynamicProperties": []
-                },
-                "incidentConfiguration": {
-                  "createIncident": true,
-                  "groupingConfiguration": {
-                    "enabled": false,
-                    "reopenClosedIncident": false,
-                    "matchingMethod": "AllEntities",
-                    "lookbackDuration": "PT5H"
+                    ]
                   }
                 }
-              }
+              },
+              "name": "[[parameters('PlaybookName')]",
+              "type": "Microsoft.Logic/workflows",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "hidden-SentinelTemplateName": "Pure-Storage-File-System-Snapshot",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "apiVersion": "2019-05-01",
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+              ]
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2018-07-01-preview",
+              "name": "[[variables('AzuresentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Pure Storage Analytics Rule 1",
-                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
-                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Pure Storage",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Pure Storage",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "purestoragemarketplaceadmin",
-                  "email": "support@purestorage.com",
-                  "tier": "Partner",
-                  "link": "https://support.purestorage.com"
+                "displayName": "[[variables('AzuresentinelConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Pure Failed Login",
-        "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
-        "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
-        "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PureControllerFailed_AnalyticalRules Analytics Rule with template version 3.0.2",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "NRT",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2018-07-01-preview",
+              "name": "[[variables('KeyvaultConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Detect controller failure and take appropriate response action.",
-                "displayName": "Pure Controller Failed",
-                "enabled": false,
-                "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "status": "Available",
-                "requiredDataConnectors": [],
-                "tactics": [
-                  "Execution"
-                ],
-                "techniques": [
-                  "T0871"
-                ],
-                "entityMappings": [
-                  {
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "HostIP"
-                      }
-                    ],
-                    "entityType": "IP"
-                  }
-                ],
-                "eventGroupingSettings": {
-                  "aggregationKind": "SingleAlert"
-                },
-                "alertDetailsOverride": {
-                  "alertDynamicProperties": []
-                },
-                "incidentConfiguration": {
-                  "createIncident": true,
-                  "groupingConfiguration": {
-                    "enabled": false,
-                    "reopenClosedIncident": false,
-                    "matchingMethod": "AllEntities",
-                    "lookbackDuration": "PT5H"
-                  }
+                "displayName": "[[variables('KeyvaultConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
               "properties": {
-                "description": "Pure Storage Analytics Rule 2",
-                "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
-                "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+                "parentId": "[variables('playbookId1')]",
+                "contentId": "[variables('_playbookContentId1')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Pure Storage",
@@ -437,34 +1036,64 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Pure Storage FlashBlade File System Snapshot",
+            "description": "This playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes files system snapshot of specific file systems listed in key vault",
+            "prerequisites": [
+              "1. Azure Key vault is required for storing the Pure Storage FlashBlade API token , create key vault if not exists",
+              "2. Store API token as a secret in vault, with your storage array IP in dash notation as key name. Eg: 8-8-8-8",
+              "3. Store file systems list as a secret in vault, with key name as follows. Eg: 8-8-8-8-filesystem",
+              "4. Store name of the file system to be snapshotted as comma separated values for the key created in previous step"
+            ],
+            "postDeployment": [
+              "**a. Authorize playbook**",
+              "Once deployment is complete, we need to add the playbook in the access policy of the Keyvault [learn how](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal)"
+            ],
+            "lastUpdateTime": "2024-10-09T00:00:00Z",
+            "entities": [
+              "IP",
+              "Host",
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Pure Controller Failed",
-        "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
-        "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
-        "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+        "contentId": "[variables('_playbookContentId1')]",
+        "contentKind": "Playbook",
+        "displayName": "Pure-Storage-File-System-Snapshot-WF",
+        "contentProductId": "[variables('_playbookcontentProductId1')]",
+        "id": "[variables('_playbookcontentProductId1')]",
+        "version": "[variables('playbookVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName1')]",
+      "name": "[variables('playbookTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Pure-Storage-User-Delete Playbook with template version 3.0.2",
+        "description": "Pure-Storage-User-Delete Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion1')]",
+          "contentVersion": "[variables('playbookVersion2')]",
           "parameters": {
             "PlaybookName": {
               "defaultValue": "Pure-Storage-User-Delete",
@@ -744,12 +1373,12 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId1')]",
-                "contentId": "[variables('_playbookContentId1')]",
+                "parentId": "[variables('playbookId2')]",
+                "contentId": "[variables('_playbookContentId2')]",
                 "kind": "Playbook",
-                "version": "[variables('playbookVersion1')]",
+                "version": "[variables('playbookVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Pure Storage",
@@ -802,27 +1431,27 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId1')]",
+        "contentId": "[variables('_playbookContentId2')]",
         "contentKind": "Playbook",
         "displayName": "Pure-Storage-User-Delete",
-        "contentProductId": "[variables('_playbookcontentProductId1')]",
-        "id": "[variables('_playbookcontentProductId1')]",
-        "version": "[variables('playbookVersion1')]"
+        "contentProductId": "[variables('_playbookcontentProductId2')]",
+        "id": "[variables('_playbookcontentProductId2')]",
+        "version": "[variables('playbookVersion2')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName2')]",
+      "name": "[variables('playbookTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Pure-Storage-Volumes-Snapshot Playbook with template version 3.0.2",
+        "description": "Pure-Storage-Volumes-Snapshot Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion2')]",
+          "contentVersion": "[variables('playbookVersion3')]",
           "parameters": {
             "PlaybookName": {
               "defaultValue": "Pure-Storage-Volumes-Snapshot",
@@ -1095,12 +1724,12 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId2')]",
-                "contentId": "[variables('_playbookContentId2')]",
+                "parentId": "[variables('playbookId3')]",
+                "contentId": "[variables('_playbookContentId3')]",
                 "kind": "Playbook",
-                "version": "[variables('playbookVersion2')]",
+                "version": "[variables('playbookVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Pure Storage",
@@ -1153,27 +1782,27 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId2')]",
+        "contentId": "[variables('_playbookContentId3')]",
         "contentKind": "Playbook",
         "displayName": "Pure-Storage-Volumes-Snapshot",
-        "contentProductId": "[variables('_playbookcontentProductId2')]",
-        "id": "[variables('_playbookcontentProductId2')]",
-        "version": "[variables('playbookVersion2')]"
+        "contentProductId": "[variables('_playbookcontentProductId3')]",
+        "id": "[variables('_playbookcontentProductId3')]",
+        "version": "[variables('playbookVersion3')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName3')]",
+      "name": "[variables('playbookTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Pure-Storage-Protection-Groups-Snapshot Playbook with template version 3.0.2",
+        "description": "Pure-Storage-Protection-Groups-Snapshot Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion3')]",
+          "contentVersion": "[variables('playbookVersion4')]",
           "parameters": {
             "PlaybookName": {
               "defaultValue": "Pure-Storage-Protection-Groups-Snapshot",
@@ -1446,12 +2075,12 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId3')]",
-                "contentId": "[variables('_playbookContentId3')]",
+                "parentId": "[variables('playbookId4')]",
+                "contentId": "[variables('_playbookContentId4')]",
                 "kind": "Playbook",
-                "version": "[variables('playbookVersion3')]",
+                "version": "[variables('playbookVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Pure Storage",
@@ -1506,12 +2135,12 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId3')]",
+        "contentId": "[variables('_playbookContentId4')]",
         "contentKind": "Playbook",
         "displayName": "Pure-Storage-Protection-Groups-Snapshot",
-        "contentProductId": "[variables('_playbookcontentProductId3')]",
-        "id": "[variables('_playbookcontentProductId3')]",
-        "version": "[variables('playbookVersion3')]"
+        "contentProductId": "[variables('_playbookcontentProductId4')]",
+        "id": "[variables('_playbookcontentProductId4')]",
+        "version": "[variables('playbookVersion4')]"
       }
     },
     {
@@ -1519,12 +2148,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Pure Storage",
         "publisherDisplayName": "purestoragemarketplaceadmin",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>Solution for Microsoft Sentinel to ingest logs from PureStorage arrays</p>\n<p><strong>Parsers:</strong> 1, <strong>Analytic Rules:</strong> 2, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>Solution for Microsoft Sentinel to ingest logs from PureStorage arrays</p>\n<p><strong>Parsers:</strong> 2, <strong>Analytic Rules:</strong> 3, <strong>Playbooks:</strong> 4</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -1554,6 +2183,11 @@
               "contentId": "[variables('parserObject1').parserContentId1]",
               "version": "[variables('parserObject1').parserVersion1]"
             },
+            {
+              "kind": "Parser",
+              "contentId": "[variables('parserObject2').parserContentId2]",
+              "version": "[variables('parserObject2').parserVersion2]"
+            },
             {
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
@@ -1564,20 +2198,30 @@
               "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
               "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
             },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+            },
             {
               "kind": "Playbook",
-              "contentId": "[variables('_Pure-Storage-User-Delete')]",
+              "contentId": "[variables('_Pure-Storage-FlashBlade-File-System-Snapshot')]",
               "version": "[variables('playbookVersion1')]"
             },
             {
               "kind": "Playbook",
-              "contentId": "[variables('_Pure-Storage-Volumes-Snapshot')]",
+              "contentId": "[variables('_Pure-Storage-User-Delete')]",
               "version": "[variables('playbookVersion2')]"
             },
             {
               "kind": "Playbook",
-              "contentId": "[variables('_Pure-Storage-Protection-Groups-Snapshot')]",
+              "contentId": "[variables('_Pure-Storage-Volumes-Snapshot')]",
               "version": "[variables('playbookVersion3')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Pure-Storage-Protection-Groups-Snapshot')]",
+              "version": "[variables('playbookVersion4')]"
             }
           ]
         },
diff --git a/Solutions/Pure Storage/Parsers/PureStorageParser.yaml b/Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml
similarity index 86%
rename from Solutions/Pure Storage/Parsers/PureStorageParser.yaml
rename to Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml
index 2eff657f811..8281c85bd60 100644
--- a/Solutions/Pure Storage/Parsers/PureStorageParser.yaml	
+++ b/Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml	
@@ -1,12 +1,12 @@
 id: 008b25eb-aeec-4751-9a42-3a0102e9774b
-Description: Parser to extract Pure Storage related info from log
+Description: Parser to extract Pure Storage FlashArray related info from log
 Function:
-  Title: Pure Storage Parser
+  Title: Pure Storage FlashArray Parser
   Version: '1.0.0'
   LastUpdated: Jan 29th 2024
-Category: PureStorageParser
-FunctionName: PureStorageParserV1
-FunctionAlias: PureStorageParserV1
+Category: PureStorageFlashArrayParser
+FunctionName: PureStorageFlashArrayParserV1
+FunctionAlias: PureStorageFlashArrayParserV1
 FunctionQuery: |
     Syslog
     | where SyslogMessage has "purity.alert"
diff --git a/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml b/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml
new file mode 100644
index 00000000000..fa7878444e2
--- /dev/null
+++ b/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml	
@@ -0,0 +1,23 @@
+id: c76dff08-ca13-467d-a143-c33cc226585c
+Description: Parser to extract Pure Storage FlashBlade related info from log
+Function:
+  Title: Pure Storage FlashBlade Parser
+  Version: '1.0.0'
+  LastUpdated: Oct 10th 2024
+Category: PureStorageFlashBladeParser
+FunctionName: PureStorageFlashBladeParserV1
+FunctionAlias: PureStorageFlashBladeParserV1
+FunctionQuery: |
+ Syslog
+ | where SyslogMessage has "purity.alert"
+ | extend Message = replace_string(SyslogMessage, "#012", "\n")
+ | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
+ | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
+ | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
+ | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
+ | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
+ | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
+ | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
+ | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
+ | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
+ | project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
\ No newline at end of file
diff --git a/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json b/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json
new file mode 100644
index 00000000000..48602eae961
--- /dev/null
+++ b/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json	
@@ -0,0 +1,322 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "title": "Pure Storage FlashBlade File System Snapshot",
+    "description": "This playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes files system snapshot of specific file systems listed in key vault",
+    "prerequisites": [
+      "1. Azure Key vault is required for storing the Pure Storage FlashBlade API token , create key vault if not exists",
+      "2. Store API token as a secret in vault, with your storage array IP in dash notation as key name. Eg: 8-8-8-8",
+      "3. Store file systems list as a secret in vault, with key name as follows. Eg: 8-8-8-8-filesystem",
+      "4. Store name of the file system to be snapshotted as comma separated values for the key created in previous step"
+    ],
+    "postDeployment": [
+      "**a. Authorize playbook**",
+      "Once deployment is complete, we need to add the playbook in the access policy of the Keyvault [learn how](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal)"
+    ],
+    "prerequisitesDeployTemplateFile": "",
+    "lastUpdateTime": "2024-10-09T00:00:00.000Z",
+    "entities": [
+      "IP",
+      "Host",
+      "Account"
+    ],
+    "tags": [
+      "Remediation"
+    ],
+    "support": {
+      "tier": "community",
+      "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+    },
+    "author": {
+      "name": "Pure Storage - security-solutions-support@purestorage.com"
+    }
+  },
+  "parameters": {
+    "PlaybookName": {
+      "defaultValue": "Pure-Storage-File-System-Snapshot-WF",
+      "type": "string"
+    }
+  },
+  "variables": {
+    "AzuresentinelConnectionName": "[concat('Azuresentinel-', parameters('PlaybookName'))]",
+    "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
+  },
+  "resources": [
+    {
+      "properties": {
+        "provisioningState": "Succeeded",
+        "state": "Enabled",
+        "definition": {
+          "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "$connections": {
+              "defaultValue": {},
+              "type": "Object"
+            }
+          },
+          "triggers": {
+            "Microsoft_Sentinel_incident": {
+              "type": "ApiConnectionWebhook",
+              "inputs": {
+                "host": {
+                  "connection": {
+                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                  }
+                },
+                "body": {
+                  "callback_url": "@{listCallbackUrl()}"
+                },
+                "path": "/incident-creation"
+              }
+            }
+          },
+          "actions": {
+            "Entities_-_Get_Accounts": {
+              "runAfter": {},
+              "type": "ApiConnection",
+              "inputs": {
+                "host": {
+                  "connection": {
+                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                  }
+                },
+                "method": "post",
+                "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                "path": "/entities/account"
+              }
+            },
+            "Entities_-_Get_IPs": {
+              "runAfter": {
+                "Entities_-_Get_Accounts": [
+                  "Succeeded"
+                ]
+              },
+              "type": "ApiConnection",
+              "inputs": {
+                "host": {
+                  "connection": {
+                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                  }
+                },
+                "method": "post",
+                "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                "path": "/entities/ip"
+              }
+            },
+            "IP_Loop": {
+              "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+              "actions": {
+                "Get_secret": {
+                  "type": "ApiConnection",
+                  "inputs": {
+                    "host": {
+                      "connection": {
+                        "name": "@parameters('$connections')['keyvault']['connectionId']"
+                      }
+                    },
+                    "method": "get",
+                    "path": "/secrets/@{encodeURIComponent(replace(items('IP_Loop')?['Address'], '.', '-'))}/value"
+                  }
+                },
+                "Fetching_API_version": {
+                  "runAfter": {
+                    "Get_secret": [
+                      "Succeeded"
+                    ]
+                  },
+                  "type": "Http",
+                  "inputs": {
+                    "uri": "https://@{item()?['Address']}/api/api_version",
+                    "method": "GET"
+                  },
+                  "runtimeConfiguration": {
+                    "contentTransfer": {
+                      "transferMode": "Chunked"
+                    }
+                  }
+                },
+                "Retrieving_auth_token": {
+                  "runAfter": {
+                    "Fetching_API_version": [
+                      "Succeeded"
+                    ]
+                  },
+                  "type": "Http",
+                  "inputs": {
+                    "uri": "https://@{item()?['Address']}/api/login",
+                    "method": "POST",
+                    "headers": {
+                      "api-token": "@{body('Get_secret')?['value']}"
+                    }
+                  },
+                  "runtimeConfiguration": {
+                    "contentTransfer": {
+                      "transferMode": "Chunked"
+                    }
+                  }
+                },
+                "Get_FileSystem_list": {
+                  "runAfter": {
+                    "Retrieving_auth_token": [
+                      "Succeeded"
+                    ]
+                  },
+                  "type": "ApiConnection",
+                  "inputs": {
+                    "host": {
+                      "connection": {
+                        "name": "@parameters('$connections')['keyvault']['connectionId']"
+                      }
+                    },
+                    "method": "get",
+                    "path": "/secrets/@{encodeURIComponent(concat(replace(items('IP_Loop')?['Address'], '.', '-'),'-filesystem'))}/value"
+                  }
+                },
+                "FileSystem_snapshot": {
+                  "runAfter": {
+                    "Get_FileSystem_list": [
+                      "Succeeded"
+                    ]
+                  },
+                  "type": "Http",
+                  "inputs": {
+                    "uri": "https://@{item()?['Address']}/api/@{last(body('Fetching_API_version')?['versions'])}/file-system-snapshots",
+                    "method": "POST",
+                    "headers": {
+                      "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}"
+                    },
+                    "queries": {
+                      "source_names": "@{body('Get_FileSystem_list')?['value']}"
+                    }
+                  },
+                  "runtimeConfiguration": {
+                    "contentTransfer": {
+                      "transferMode": "Chunked"
+                    }
+                  }
+                },
+                "Logout_of_the_FlashBlade": {
+                  "runAfter": {
+                    "FileSystem_snapshot": [
+                      "Succeeded"
+                    ]
+                  },
+                  "type": "Http",
+                  "inputs": {
+                    "uri": "https://@{item()?['Address']}/api/logout",
+                    "method": "POST",
+                    "headers": {
+                      "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}"
+                    }
+                  },
+                  "runtimeConfiguration": {
+                    "contentTransfer": {
+                      "transferMode": "Chunked"
+                    }
+                  }
+                }
+              },
+              "runAfter": {
+                "Entities_-_Get_IPs": [
+                  "Succeeded"
+                ]
+              },
+              "type": "Foreach"
+            }
+          },
+          "outputs": {}
+        },
+        "parameters": {
+          "$connections": {
+            "value": {
+              "azuresentinel": {
+                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
+                "connectionName": "[variables('AzuresentinelConnectionName')]",
+                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+              },
+              "keyvault": {
+                "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+                "connectionName": "[variables('KeyvaultConnectionName')]",
+                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
+                "connectionProperties": {
+                  "authentication": {
+                    "type": "ManagedServiceIdentity"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "accessControl": {
+          "triggers": {
+            "allowedCallerIpAddresses": [
+              {
+                "addressRange": "10.21.241.30-10.21.241.37"
+              }
+            ]
+          },
+          "contents": {
+            "allowedCallerIpAddresses": [
+              {
+                "addressRange": "10.21.241.30-10.21.241.37"
+              }
+            ]
+          },
+          "actions": {
+            "allowedCallerIpAddresses": [
+              {
+                "addressRange": "10.21.241.30-10.21.241.37"
+              }
+            ]
+          }
+        }
+      },
+      "name": "[parameters('PlaybookName')]",
+      "type": "Microsoft.Logic/workflows",
+      "location": "[resourceGroup().location]",
+      "tags": {
+        "hidden-SentinelTemplateName": "Pure-Storage-File-System-Snapshot",
+        "hidden-SentinelTemplateVersion": "1.0"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "apiVersion": "2019-05-01",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]",
+        "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/connections",
+      "apiVersion": "2018-07-01-preview",
+      "name": "[variables('AzuresentinelConnectionName')]",
+      "location": "[resourceGroup().location]",
+      "kind": "V1",
+      "properties": {
+        "displayName": "[variables('AzuresentinelConnectionName')]",
+        "customParameterValues": {},
+        "api": {
+          "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Web/connections",
+      "apiVersion": "2018-07-01-preview",
+      "name": "[variables('KeyvaultConnectionName')]",
+      "location": "[resourceGroup().location]",
+      "kind": "V1",
+      "properties": {
+        "displayName": "[variables('KeyvaultConnectionName')]",
+        "customParameterValues": {},
+        "parameterValueType": "Alternative",
+        "api": {
+          "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Pure Storage/ReleaseNotes.md b/Solutions/Pure Storage/ReleaseNotes.md
index 2b103908cb2..d0950acf86e 100644
--- a/Solutions/Pure Storage/ReleaseNotes.md	
+++ b/Solutions/Pure Storage/ReleaseNotes.md	
@@ -1,4 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**             |
 |-------------|--------------------------------|--------------------------------|
-| 3.0.1       | 03-05-2024                     | Repackaged for parser issue fix on reinstall<br/> Added 2 new **Analytic Rules** and 3 new **Playbooks** |
-| 3.0.0       | 05-02-2024                     | Initial Solution Release - Parser Only   |
+| 3.0.3       | 05-11-2024                     | Added new **Analytic Rule** a **Playbook** and a **Parser** |
+| 3.0.2       | 09-05-2024                     | Repackaged for **Parser** issue fix on reinstall |
+| 3.0.1       | 03-05-2024                     | Repackaged for **Parser** issue fix on reinstall<br/> Added 2 new **Analytic Rules** and 3 new **Playbooks** |
+| 3.0.0       | 05-02-2024                     | Initial Solution Release - **Parser** Only   |
diff --git a/Solutions/SAP/sapcon-instance-update.sh b/Solutions/SAP/sapcon-instance-update.sh
index 5412a8aa2b6..85c5a2e0234 100755
--- a/Solutions/SAP/sapcon-instance-update.sh
+++ b/Solutions/SAP/sapcon-instance-update.sh
@@ -208,7 +208,7 @@ while IFS= read -r contname; do
 			# Image is on preview, and no newer version is available
 			log "Current agent is in preview branch, and release branch has an older build (current release id is $containerreleaseid, latest is $imagereleaseid). Not updating this agent"
 		else
-			log_update "Agent image for agent $contname is newer than the one in the container registry. Agent release id $containerreleaseid, release id of image available in container registry: $imagereleaseid. Not updating this agent"
+			log "Agent image for agent $contname is newer than the one in the container registry. Agent release id $containerreleaseid, release id of image available in container registry: $imagereleaseid. Not updating this agent"
 		fi
 		continue
 	elif [ "$imagereleaseid" -gt "$containerreleaseid" ] || [ "$FORCE" == 1 ]; then	
diff --git a/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip b/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip
index 7f5ad220bad..4c7b91ca69f 100644
Binary files a/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip and b/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip differ
diff --git a/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json b/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json
index 357177c235c..2d7e0056e83 100644
--- a/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json	
+++ b/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json	
@@ -143,7 +143,7 @@
                 "alwaysOn": true,
                 "reserved": true,
                 "siteConfig": {
-                    "linuxFxVersion": "python|3.8"
+                    "linuxFxVersion": "python|3.11"
                 }
             },
 
diff --git a/Solutions/Snowflake/Data Connectors/requirements.txt b/Solutions/Snowflake/Data Connectors/requirements.txt
index c9774c5cbc7..1dd0d12913d 100644
--- a/Solutions/Snowflake/Data Connectors/requirements.txt	
+++ b/Solutions/Snowflake/Data Connectors/requirements.txt	
@@ -2,4 +2,5 @@ azure-functions
 requests==2.31.0
 python-dateutil==2.8.2
 azure-storage-file-share==12.5.0
-snowflake-connector-python==3.0.2
\ No newline at end of file
+snowflake-connector-python==3.0.2
+cffi==1.14.6
\ No newline at end of file
diff --git a/Solutions/Syslog/Data Connectors/template_Syslog.json b/Solutions/Syslog/Data Connectors/template_Syslog.json
index 72adbdf7134..604a041b47c 100644
--- a/Solutions/Syslog/Data Connectors/template_Syslog.json	
+++ b/Solutions/Syslog/Data Connectors/template_Syslog.json	
@@ -1,9 +1,8 @@
 {
     "id": "Syslog",
-    "title": "Syslog",
+    "title": "Syslog via Legacy Agent",
     "publisher": "Microsoft",
-    "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
-    "additionalRequirementBanner": "[Learn more](https://aka.ms/sysLogInfo)",
+    "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)",
     "graphQueries": [
         {
             "metricName": "Total data received",
@@ -56,7 +55,7 @@
     "instructionSteps": [
         {
             "title": "1. Install and onboard the agent for Linux",
-            "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n>  Syslog logs are collected only from **Linux** agents.",
+            "description": "You can collect Syslog events from your local machine by installing the agent on it. You can also collect Syslog generated on a different source by running the installation script below on the local machine, where the agent is installed.\n\n>  Syslog logs are collected only from **Linux** agents.",
             "instructions": [
                 {
                     "parameters": {
@@ -105,4 +104,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/Solutions/Syslog/Package/3.0.7.zip b/Solutions/Syslog/Package/3.0.7.zip
new file mode 100644
index 00000000000..8b8a91a502c
Binary files /dev/null and b/Solutions/Syslog/Package/3.0.7.zip differ
diff --git a/Solutions/Syslog/Package/mainTemplate.json b/Solutions/Syslog/Package/mainTemplate.json
index e49e0bc701c..261c15d9624 100644
--- a/Solutions/Syslog/Package/mainTemplate.json
+++ b/Solutions/Syslog/Package/mainTemplate.json
@@ -49,7 +49,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Syslog",
-    "_solutionVersion": "3.0.6",
+    "_solutionVersion": "3.0.7",
     "solutionId": "azuresentinel.azure-sentinel-solution-syslog",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "Syslog",
@@ -203,7 +203,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Syslog data connector with template version 3.0.6",
+        "description": "Syslog data connector with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -219,9 +219,9 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "Syslog",
+                  "title": "Syslog via Legacy Agent",
                   "publisher": "Microsoft",
-                  "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+                  "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)",
                   "graphQueries": [
                     {
                       "metricName": "Total data received",
@@ -281,7 +281,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_dataConnectorContentId1')]",
         "contentKind": "DataConnector",
-        "displayName": "Syslog",
+        "displayName": "Syslog via Legacy Agent",
         "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
         "id": "[variables('_dataConnectorcontentProductId1')]",
         "version": "[variables('dataConnectorVersion1')]"
@@ -325,9 +325,9 @@
       "kind": "StaticUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "Syslog",
+          "title": "Syslog via Legacy Agent",
           "publisher": "Microsoft",
-          "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+          "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)",
           "graphQueries": [
             {
               "metricName": "Total data received",
@@ -349,8 +349,7 @@
               ]
             }
           ],
-          "id": "[variables('_uiConfigId1')]",
-          "additionalRequirementBanner": "[Learn more](https://aka.ms/sysLogInfo)"
+          "id": "[variables('_uiConfigId1')]"
         }
       }
     },
@@ -363,7 +362,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Syslog data connector with template version 3.0.6",
+        "description": "Syslog data connector with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -522,7 +521,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "LinuxMachines Workbook with template version 3.0.6",
+        "description": "LinuxMachines Workbook with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -610,7 +609,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SyslogConnectorsOverviewWorkbook Workbook with template version 3.0.6",
+        "description": "SyslogConnectorsOverviewWorkbook Workbook with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -702,7 +701,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FailedLogonAttempts_UnknownUser_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "FailedLogonAttempts_UnknownUser_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -730,16 +729,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -750,22 +749,22 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "Computer"
+                        "columnName": "Computer",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "HostIP"
+                        "columnName": "HostIP",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   }
                 ]
               }
@@ -821,7 +820,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_squid_events_for_mining_pools_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "NRT_squid_events_for_mining_pools_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -845,16 +844,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -865,31 +864,31 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "User"
+                        "columnName": "User",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIP"
+                        "columnName": "SourceIP",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "URL"
+                        "columnName": "URL",
+                        "identifier": "Url"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   }
                 ]
               }
@@ -945,7 +944,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "squid_cryptomining_pools_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "squid_cryptomining_pools_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -973,16 +972,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -993,39 +992,39 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "User"
+                        "columnName": "User",
+                        "identifier": "FullName"
                       },
                       {
-                        "identifier": "Name",
-                        "columnName": "AccountName"
+                        "columnName": "AccountName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "AccountUPNSuffix"
+                        "columnName": "AccountUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIP"
+                        "columnName": "SourceIP",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "URL"
+                        "columnName": "URL",
+                        "identifier": "Url"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   }
                 ]
               }
@@ -1081,7 +1080,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "squid_tor_proxies_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "squid_tor_proxies_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1109,16 +1108,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1130,39 +1129,39 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "User"
+                        "columnName": "User",
+                        "identifier": "FullName"
                       },
                       {
-                        "identifier": "Name",
-                        "columnName": "AccountName"
+                        "columnName": "AccountName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "AccountUPNSuffix"
+                        "columnName": "AccountUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIP"
+                        "columnName": "SourceIP",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "URL"
+                        "columnName": "URL",
+                        "identifier": "Url"
                       }
-                    ],
-                    "entityType": "URL"
+                    ]
                   }
                 ]
               }
@@ -1218,7 +1217,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ssh_potentialBruteForce_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "ssh_potentialBruteForce_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1246,16 +1245,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1266,40 +1265,40 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Account"
+                        "columnName": "Account",
+                        "identifier": "Name"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "HostName"
+                        "columnName": "HostName",
+                        "identifier": "HostName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "AzureResource",
                     "fieldMappings": [
                       {
-                        "identifier": "ResourceId",
-                        "columnName": "ResourceId"
+                        "columnName": "ResourceId",
+                        "identifier": "ResourceId"
                       }
-                    ],
-                    "entityType": "AzureResource"
+                    ]
                   }
                 ]
               }
@@ -1355,7 +1354,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "sftp_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "sftp_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1383,16 +1382,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1403,49 +1402,49 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "username"
+                        "columnName": "username",
+                        "identifier": "Name"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "src_ip"
+                        "columnName": "src_ip",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "Computer"
+                        "columnName": "Computer",
+                        "identifier": "HostName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "File",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "FileSample"
+                        "columnName": "FileSample",
+                        "identifier": "Name"
                       }
-                    ],
-                    "entityType": "File"
+                    ]
                   }
                 ],
                 "customDetails": {
-                  "FilesList": "fileslist",
-                  "TransferCount": "count_distinct_filepath"
+                  "TransferCount": "count_distinct_filepath",
+                  "FilesList": "fileslist"
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
-                    "matchingMethod": "Selected",
+                    "enabled": true,
                     "lookbackDuration": "5h",
                     "groupByEntities": [
                       "Account",
@@ -1509,7 +1508,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "sftp_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.6",
+        "description": "sftp_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1537,16 +1536,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Syslog",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "Syslog"
+                    ]
                   },
                   {
+                    "connectorId": "SyslogAma",
                     "dataTypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1557,49 +1556,49 @@
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "username"
+                        "columnName": "username",
+                        "identifier": "Name"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "src_ip"
+                        "columnName": "src_ip",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "HostName",
-                        "columnName": "Computer"
+                        "columnName": "Computer",
+                        "identifier": "HostName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "File",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "DirSample"
+                        "columnName": "DirSample",
+                        "identifier": "Name"
                       }
-                    ],
-                    "entityType": "File"
+                    ]
                   }
                 ],
                 "customDetails": {
-                  "FilesList": "dirlist",
-                  "TransferCount": "count_distinct_dirpath"
+                  "TransferCount": "count_distinct_dirpath",
+                  "FilesList": "dirlist"
                 },
                 "incidentConfiguration": {
                   "groupingConfiguration": {
-                    "matchingMethod": "Selected",
+                    "enabled": true,
                     "lookbackDuration": "5h",
                     "groupByEntities": [
                       "Account",
@@ -1663,7 +1662,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CryptoCurrencyMiners_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "CryptoCurrencyMiners_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1748,7 +1747,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SCXExecuteRunAsProviders_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "SCXExecuteRunAsProviders_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1833,7 +1832,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CryptoThreatActivity_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "CryptoThreatActivity_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1918,7 +1917,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "RareProcess_ForLxHost_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "RareProcess_ForLxHost_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -2003,7 +2002,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SchedTaskAggregation_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "SchedTaskAggregation_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -2088,7 +2087,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SchedTaskEditViaCrontab_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "SchedTaskEditViaCrontab_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2173,7 +2172,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "squid_abused_tlds_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "squid_abused_tlds_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2258,7 +2257,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "squid_malformed_requests_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "squid_malformed_requests_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2343,7 +2342,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "squid_volume_anomalies_HuntingQueries Hunting Query with template version 3.0.6",
+        "description": "squid_volume_anomalies_HuntingQueries Hunting Query with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2428,7 +2427,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SyslogConnectorsOverallStatus Data Parser with template version 3.0.6",
+        "description": "SyslogConnectorsOverallStatus Data Parser with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2560,7 +2559,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SyslogConnectorsEventVolumebyDeviceProduct Data Parser with template version 3.0.6",
+        "description": "SyslogConnectorsEventVolumebyDeviceProduct Data Parser with template version 3.0.7",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -2688,7 +2687,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.6",
+        "version": "3.0.7",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Syslog",
diff --git a/Solutions/Syslog/ReleaseNotes.md b/Solutions/Syslog/ReleaseNotes.md
index a070085aedd..1137f4b7e77 100644
--- a/Solutions/Syslog/ReleaseNotes.md
+++ b/Solutions/Syslog/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.7       | 04-11-2024                     |  Updated the Syslog **Data Connector** template to latest version  |
 | 3.0.6       | 01-08-2024                     |  Updated **Analytic rules** for entity mappings and parameter for parser function  |
 | 3.0.5       | 16-07-2024                     |  Added 2 new Workspace Function **Parsers** and a new **Workbook**       |
 | 3.0.4       | 27-06-2024                     |  Updated Connectivity criteria query for **Data Connector**        |
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py
index 035caf2145f..90fe0fe5f32 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py	
@@ -1,81 +1,84 @@
+import json
 import os
 import logging
 from datetime import timedelta
 from ..tenable_helper import TenableExportType, TenableStatus
 
-import azure.functions as func
 import azure.durable_functions as df
 
 logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy")
 logger.setLevel(logging.WARNING)
 
-asset_status_and_chunk = 'TenableAssetExportStatusAndSendChunks'
-export_poll_schedule_minutes = int(os.getenv('TenableExportPollScheduleInMinutes', '1'))
+asset_status_and_chunk = "TenableAssetExportStatusAndSendChunks"
+export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1"))
+
 
 def orchestrator_function(context: df.DurableOrchestrationContext):
-    logging.info('started asset export orchestrator')
+    logging.info("started asset export orchestrator")
     job_details = context.get_input()
-    logging.info('loaded job details from orchestrator:')
+    logging.info("loaded job details from orchestrator:")
     logging.info(job_details)
 
-    asset_job_id = job_details['assetJobId'] if 'assetJobId' in job_details else ''
-    if asset_job_id == '':
+    asset_job_id = job_details["assetJobId"] if "assetJobId" in job_details else ""
+    if asset_job_id == "":
         return {
-            'status': TenableStatus.no_job.value,
-            'id': '',
-            'chunks': [],
-            'assetInstanceId': context.instance_id,
-            'type': TenableExportType.asset.value
+            "status": TenableStatus.no_job.value,
+            "id": "",
+            "chunks": [],
+            "assetInstanceId": context.instance_id,
+            "type": TenableExportType.asset.value,
         }
 
     chunks = []
-    logging.info(f'checking status of job {asset_job_id}, outside while loop')
-    job_status = yield context.call_activity(asset_status_and_chunk, asset_job_id)
-    logging.info(f'{asset_job_id} is currently in this state:')
+    logging.info(f"checking status of job {asset_job_id}, outside while loop")
+    start_time = job_details.get("start_time", 0)
+    str_activity_data = json.dumps({"asset_job_id": asset_job_id, "start_time": start_time})
+    job_status = yield context.call_activity(asset_status_and_chunk, str_activity_data)
+    logging.info(f"{asset_job_id} is currently in this state:")
     logging.info(job_status)
-    logging.info(job_status['status'])
+    logging.info(job_status["status"])
 
-    tio_status = ['ERROR', 'CANCELLED', 'FINISHED']
-    while not 'status' in job_status or not (job_status['status'] in tio_status):
+    tio_status = ["ERROR", "CANCELLED", "FINISHED"]
+    while not "status" in job_status or not (job_status["status"] in tio_status):
         logging.info(
-            f'Checking {asset_job_id} after waking up again, inside while loop:')
-        job_status = yield context.call_activity(asset_status_and_chunk, asset_job_id)
-        logging.info(f'{asset_job_id} is currently in this state:')
+            f"Checking {asset_job_id} after waking up again, inside while loop:")
+        job_status = yield context.call_activity(asset_status_and_chunk, str_activity_data)
+        logging.info(f"{asset_job_id} is currently in this state:")
         logging.info(job_status)
 
-        if 'status' in job_status and job_status['status'] == 'FINISHED':
-            logging.info('job is completely finished!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        if "status" in job_status and job_status["status"] == "FINISHED":
+            logging.info("job is completely finished!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
-        elif 'status' in job_status and job_status['status'] == 'ERROR':
-            logging.info('job is completed with Error status!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        elif "status" in job_status and job_status["status"] == "ERROR":
+            logging.info("job is completed with Error status!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
-        elif 'status' in job_status and job_status['status'] == 'CANCELLED':
-            logging.info('job is completed with Cancelled status!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        elif "status" in job_status and job_status["status"] == "CANCELLED":
+            logging.info("job is completed with Cancelled status!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
         else:
-            logging.info('not quite ready, going to sleep...')
+            logging.info("not quite ready, going to sleep...")
             next_check = context.current_utc_datetime + timedelta(minutes=export_poll_schedule_minutes)
             yield context.create_timer(next_check)
 
-    logging.info('Checking that chunks exist...')
-    logging.info(f'Number of chunks: {len(chunks)}')
+    logging.info("Checking that chunks exist...")
+    logging.info(f"Number of chunks: {len(chunks)}")
 
     tenable_status = TenableStatus.finished.value
-    if 'status' in job_status and (job_status['status'] == 'CANCELLED' or job_status['status'] == 'ERROR'):
+    if "status" in job_status and (job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR"):
         tenable_status = TenableStatus.failed.value
 
     return {
-        'status': tenable_status,
-        'id': asset_job_id,
-        'chunks': chunks,
-        'assetInstanceId': context.instance_id,
-        'type': TenableExportType.asset.value
+        "status": tenable_status,
+        "id": asset_job_id,
+        "chunks": chunks,
+        "assetInstanceId": context.instance_id,
+        "type": TenableExportType.asset.value,
     }
 
 
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py
index 523e3bc9e64..435a6b5bbe4 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py	
@@ -1,78 +1,88 @@
+import json
 import logging
 import os
 
 from ..exports_queue import ExportsQueue, ExportsQueueNames
 from ..exports_store import ExportsTableStore, ExportsTableNames
-from ..tenable_helper import TenableIO, TenableStatus, TenableExportType
+from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 assets_table_name = ExportsTableNames.TenableAssetExportTable.value
 assets_queue_name = ExportsQueueNames.TenableAssetExportsQueue.value
 
 
+
 def send_chunks_to_queue(exportJobDetails):
-    logging.info(f'Sending chunk to queue.')
-    chunks = exportJobDetails.get('chunks_available', [])
-    exportJobId = exportJobDetails.get('exportJobId', '')
+    logging.info("Sending chunk to queue.")
+    chunks = exportJobDetails.get("chunks_available", [])
+    exportJobId = exportJobDetails.get("exportJobId", "")
+    start_time = exportJobDetails.get("start_time", 0)
+    job_status = exportJobDetails.get("status", "")
 
     if len(chunks) > 0:
         assets_table = ExportsTableStore(connection_string, assets_table_name)
+        update_checkpoint = False
         for chunk in chunks:
+            update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status)
             chunk_dtls = assets_table.get(exportJobId, str(chunk))
             if chunk_dtls:
-                current_chunk_status = chunk_dtls['jobStatus']
+                current_chunk_status = chunk_dtls["jobStatus"]
                 if (
                         current_chunk_status == TenableStatus.sent_to_queue.value or
                         current_chunk_status == TenableStatus.finished.value
                 ):
-                    logging.warning(f'Avoiding asset chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}')
+                    logging.warning(f"Avoiding asset chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}")
                     continue
 
             assets_table.merge(exportJobId, str(chunk), {
-                'jobStatus': TenableStatus.sending_to_queue.value,
-                'jobType': TenableExportType.asset.value
+                "jobStatus": TenableStatus.sending_to_queue.value,
+                "jobType": TenableExportType.asset.value
             })
 
             assets_queue = ExportsQueue(connection_string, assets_queue_name)
             try:
-                sent = assets_queue.send_chunk_info(exportJobId, chunk)
-                logging.warn(f'chunk queued -- {exportJobId} {chunk}')
-                logging.warn(sent)
+                sent = assets_queue.send_chunk_info(exportJobId, chunk, start_time, update_checkpoint)
+                logging.warning(f"chunk queued -- {exportJobId} {chunk}")
+                logging.warning(sent)
                 assets_table.merge(exportJobId, str(chunk), {
-                    'jobStatus': TenableStatus.sent_to_queue.value
+                    "jobStatus": TenableStatus.sent_to_queue.value
                 })
             except Exception as e:
-                logging.warn(
-                    f'Failed to send {exportJobId} - {chunk} to be processed')
-                logging.warn(e)
+                logging.warning(
+                    f"Failed to send {exportJobId} - {chunk} to be processed")
+                logging.warning(e)
 
                 assets_table.merge(exportJobId, str(chunk), {
-                    'jobStatus': TenableStatus.sent_to_queue_failed.value,
-                    'jobType': TenableExportType.asset.value
+                    "jobStatus": TenableStatus.sent_to_queue_failed.value,
+                    "jobType": TenableExportType.asset.value
                 })
     else:
-        logging.info('no chunk found to process.')
+        logging.info("no chunk found to process.")
         return
 
 
-def main(exportJobId: str) -> object:
-    logging.info('using pyTenable client to check asset export job status')
+def main(exportJob: str) -> object:
+    jsonExportObject = json.loads(exportJob)
+    exportJobId = jsonExportObject.get("asset_job_id", "")
+    start_time = jsonExportObject.get("start_time", 0)
+    logging.info("using pyTenable client to check asset export job status")
     logging.info(
-        f'checking status at assets/{exportJobId}/status')
+        f"checking status at assets/{exportJobId}/status")
     tio = TenableIO()
-    job_details = tio.exports.status('assets', exportJobId)
+    job_details = tio.exports.status("assets", exportJobId)
     logging.info(
-        f'received a response from assets/{exportJobId}/status')
+        f"received a response from assets/{exportJobId}/status")
     logging.info(job_details)
 
-    tio_status = ['ERROR', 'CANCELLED']
-    if job_details['status'] not in tio_status:
+    tio_status = ["ERROR", "CANCELLED"]
+    if job_details["status"] not in tio_status:
         try:
-            job_details['exportJobId'] = exportJobId
+            job_details["exportJobId"] = exportJobId
+            job_details["start_time"] = start_time
             send_chunks_to_queue(job_details)
         except Exception as e:
-            logging.warn('error while sending chunks to queue')
-            logging.warn(job_details)
-            logging.warn(e)
+            logging.warning("error while sending chunks to queue")
+            logging.warning(job_details)
+            logging.warning(e)
 
     return job_details
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json
index 89e7dd83296..6116f03f684 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json	
@@ -2,7 +2,7 @@
   "scriptFile": "__init__.py",
   "bindings": [
     {
-      "name": "exportJobId",
+      "name": "exportJob",
       "type": "activityTrigger",
       "direction": "in"
     }
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py
index 3a93700cc8a..3a4d379883d 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py	
@@ -3,9 +3,11 @@
 
 from ..exports_store import ExportsTableStore, ExportsTableNames
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value
 vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value
+compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value
+ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False
 
 
 def remove_finished_chunks(table_client: ExportsTableStore):
@@ -13,14 +15,14 @@ def remove_finished_chunks(table_client: ExportsTableStore):
     finished_chunks_by_job_id = {}
 
     for f in finished_jobs:
-        job_id = f['PartitionKey']
-        chunk_id = f['RowKey']
-        if not f['PartitionKey'] in finished_chunks_by_job_id:
-            finished_chunks_by_job_id[job_id] = [('delete',
-                                                  {'PartitionKey': job_id, 'RowKey': chunk_id})]
+        job_id = f["PartitionKey"]
+        chunk_id = f["RowKey"]
+        if not f["PartitionKey"] in finished_chunks_by_job_id:
+            finished_chunks_by_job_id[job_id] = [("delete",
+                                                  {"PartitionKey": job_id, "RowKey": chunk_id})]
         else:
-            finished_chunks_by_job_id[job_id].append(('delete',
-                                                      {'PartitionKey': job_id, 'RowKey': chunk_id}))
+            finished_chunks_by_job_id[job_id].append(("delete",
+                                                      {"PartitionKey": job_id, "RowKey": chunk_id}))
     logging.info(finished_chunks_by_job_id)
 
     batch_size = 50
@@ -28,7 +30,7 @@ def remove_finished_chunks(table_client: ExportsTableStore):
         batches = [finished_chunks_by_job_id[j][i:i + batch_size]
                    for i in range(0, len(finished_chunks_by_job_id[j]), batch_size)]
         for batch in batches:
-            logging.info('deleting batch')
+            logging.info("deleting batch")
             table_client.batch(batch)
 
 
@@ -36,8 +38,12 @@ def main(name: str) -> str:
     assets_table = ExportsTableStore(
         connection_string, assets_export_table_name)
     vuln_table = ExportsTableStore(connection_string, vuln_export_table_name)
-    logging.info('batch deleting finished chunks from asset table.')
+    logging.info("batch deleting finished chunks from asset table.")
     remove_finished_chunks(assets_table)
-    logging.info('batch deleting finished chunks from vuln table.')
+    logging.info("batch deleting finished chunks from vuln table.")
     remove_finished_chunks(vuln_table)
+    if ingest_compliance_data:
+        compliance_table = ExportsTableStore(connection_string, compliance_export_table_name)
+        logging.info("batch deleting finished chunks from compliance table.")
+        remove_finished_chunks(compliance_table)
     return True
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py
index e430084b8c0..d0c0d5c0172 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py	
@@ -1,20 +1,20 @@
 import os
 from datetime import timedelta
 
-import azure.functions as func
 import azure.durable_functions as df
 
-generate_stats_activity_name = 'TenableGenerateJobStats'
-clean_tables_name = 'TenableCleanTables'
-cleanup_schedule_minutes = int(os.getenv('TenableCleanupScheduleInMinutes', '10'))
+generate_stats_activity_name = "TenableGenerateJobStats"
+clean_tables_name = "TenableCleanTables"
+cleanup_schedule_minutes = int(os.getenv("TenableCleanupScheduleInMinutes", "10"))
 
-def orchestrator_function(context: df.DurableOrchestrationContext):
-    yield context.call_activity(generate_stats_activity_name, '')
-    yield context.call_activity(clean_tables_name, '')
 
+def orchestrator_function(context: df.DurableOrchestrationContext):
+    yield context.call_activity(generate_stats_activity_name, "")
+    yield context.call_activity(clean_tables_name, "")
 
     next_check = context.current_utc_datetime + timedelta(minutes=cleanup_schedule_minutes)
     yield context.create_timer(next_check)
     context.continue_as_new(None)
 
-main = df.Orchestrator.create(orchestrator_function)
\ No newline at end of file
+
+main = df.Orchestrator.create(orchestrator_function)
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py
new file mode 100644
index 00000000000..77a1c5f2cc5
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py	
@@ -0,0 +1,112 @@
+"""Orchestrator function for compliance export jobs."""
+
+import json
+import os
+import logging
+from datetime import timedelta
+from ..tenable_helper import TenableExportType, TenableStatus
+
+import azure.durable_functions as df
+
+logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy")
+logger.setLevel(logging.WARNING)
+
+compliance_status_and_chunk = "TenableComplianceExportStatusAndSendChunks"
+export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1"))
+chunks_found_log = "Found these chunks: {}"
+
+
+def orchestrator_function(context: df.DurableOrchestrationContext):
+    """
+    Orchestrator function to check the status of compliance export job and store chunks_available.
+
+    Args:
+        context: The durable orchestration context
+
+    Returns:
+        A dictionary containing the status, id, chunks, complianceInstanceId and type of the job
+    """
+    logging.info("started compliance export orchestrator")
+    job_details = context.get_input()
+    logging.info("loaded job details from orchestrator:")
+    logging.info(job_details)
+
+    compliance_job_id = (
+        job_details["complianceJobId"] if "complianceJobId" in job_details else ""
+    )
+    if compliance_job_id == "":
+        return {
+            "status": TenableStatus.no_job.value,
+            "id": "",
+            "chunks": [],
+            "complianceInstanceId": context.instance_id,
+            "type": TenableExportType.compliance.value,
+        }
+
+    chunks = []
+    logging.info(
+        "checking status of job {}, outside while loop".format(compliance_job_id)
+    )
+    start_time = job_details.get("start_time", 0)
+    str_activity_data = json.dumps({"compliance_job_id": compliance_job_id, "start_time": start_time})
+    job_status = yield context.call_activity(
+        compliance_status_and_chunk, str_activity_data
+    )
+    logging.info("{} is currently in this state:".format(compliance_job_id))
+    logging.info(job_status)
+    logging.info(job_status["status"])
+
+    tio_status = ["ERROR", "CANCELLED", "FINISHED"]
+    while ("status" not in job_status) or (job_status["status"] not in tio_status):
+        logging.info(
+            "Checking {} after waking up again, inside while loop:".format(
+                compliance_job_id
+            )
+        )
+        job_status = yield context.call_activity(
+            compliance_status_and_chunk, str_activity_data
+        )
+        logging.info("{} is currently in this state:".format(compliance_job_id))
+        logging.info(job_status)
+
+        if "status" in job_status and job_status["status"] == "FINISHED":
+            logging.info("job is completely finished!")
+            chunks = job_status["chunks_available"]
+            logging.info(chunks_found_log.format(chunks))
+            break
+        elif "status" in job_status and job_status["status"] == "ERROR":
+            logging.info("job is completed with Error status!")
+            chunks = job_status["chunks_available"]
+            logging.info(chunks_found_log.format(chunks))
+            break
+        elif "status" in job_status and job_status["status"] == "CANCELLED":
+            logging.info("job is completed with Cancelled status!")
+            chunks = job_status["chunks_available"]
+            logging.info(chunks_found_log.format(chunks))
+            break
+        else:
+            logging.info("not quite ready, going to sleep...")
+            next_check = context.current_utc_datetime + timedelta(
+                minutes=export_poll_schedule_minutes
+            )
+            yield context.create_timer(next_check)
+
+    logging.info("Checking that chunks exist...")
+    logging.info("Number of chunks: {}".format(len(chunks)))
+
+    tenable_status = TenableStatus.finished.value
+    if "status" in job_status and (
+        job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR"
+    ):
+        tenable_status = TenableStatus.failed.value
+
+    return {
+        "status": tenable_status,
+        "id": compliance_job_id,
+        "chunks": chunks,
+        "complianceInstanceId": context.instance_id,
+        "type": TenableExportType.compliance.value,
+    }
+
+
+main = df.Orchestrator.create(orchestrator_function)
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json
new file mode 100644
index 00000000000..82fabb9a853
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json	
@@ -0,0 +1,10 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "name": "context",
+      "type": "orchestrationTrigger",
+      "direction": "in"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py
new file mode 100644
index 00000000000..5ba6491ffdf
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py	
@@ -0,0 +1,111 @@
+"""Activity function to check compliance export job status and send chunks to queue."""
+
+import json
+import logging
+import os
+
+from ..exports_queue import ExportsQueue, ExportsQueueNames
+from ..exports_store import ExportsTableStore, ExportsTableNames
+from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk
+
+connection_string = os.environ["AzureWebJobsStorage"]
+compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value
+compliance_queue_name = ExportsQueueNames.TenableComplianceExportsQueue.value
+
+
+def send_chunks_to_queue(export_job_details):
+    """
+    Send chunks of a compliance export job to queue for processing.
+
+    Args:
+        export_job_details: a dictionary containing the exportJobId and chunks_available
+    """
+    logging.info("Sending chunk to queue.")
+    chunks = export_job_details.get("chunks_available", [])
+    export_job_id = export_job_details.get("exportJobId", "")
+    start_time = export_job_details.get("start_time", 0)
+    job_status = export_job_details.get("status", "")
+
+    if len(chunks) > 0:
+        compliance_table = ExportsTableStore(connection_string, compliance_table_name)
+        update_checkpoint = False
+        for chunk in chunks:
+            update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status)
+            chunk_dtls = compliance_table.get(export_job_id, str(chunk))
+            if chunk_dtls:
+                current_chunk_status = chunk_dtls["jobStatus"]
+                if (
+                    current_chunk_status == TenableStatus.sent_to_queue.value
+                    or current_chunk_status == TenableStatus.finished.value
+                ):
+                    logging.warning(
+                        "Avoiding compliance chunk duplicate processing -- {} {}. Current status: {}".format(
+                            export_job_id, chunk, current_chunk_status
+                        )
+                    )
+                    continue
+
+            compliance_table.merge(
+                export_job_id,
+                str(chunk),
+                {
+                    "jobStatus": TenableStatus.sending_to_queue.value,
+                    "jobType": TenableExportType.compliance.value,
+                },
+            )
+
+            compliance_queue = ExportsQueue(connection_string, compliance_queue_name)
+            try:
+                sent = compliance_queue.send_chunk_info(export_job_id, chunk, start_time, update_checkpoint)
+                logging.warning("chunk queued -- {} {}".format(export_job_id, chunk))
+                logging.warning(sent)
+                compliance_table.merge(
+                    export_job_id,
+                    str(chunk),
+                    {"jobStatus": TenableStatus.sent_to_queue.value},
+                )
+            except Exception as err:
+                logging.warning(
+                    "Failed to send {} - {} to be processed".format(
+                        export_job_id, chunk
+                    )
+                )
+                logging.warning(err)
+
+                compliance_table.merge(
+                    export_job_id,
+                    str(chunk),
+                    {
+                        "jobStatus": TenableStatus.sent_to_queue_failed.value,
+                        "jobType": TenableExportType.compliance.value,
+                    },
+                )
+    else:
+        logging.info("no chunk found to process.")
+        return None
+
+
+def main(exportJob: str) -> object:
+    """Check the status of compliance export job id."""
+    json_export_object = json.loads(exportJob)
+    export_job_id = json_export_object.get("compliance_job_id", "")
+    start_time = json_export_object.get("start_time", 0)
+    logging.info("using pyTenable client to check compliance export job status")
+    logging.info("checking status at compliance/{}/status".format(export_job_id))
+    tio = TenableIO()
+    job_details = tio.exports.status("compliance", export_job_id)
+    logging.info("received a response from compliance/{}/status".format(export_job_id))
+    logging.info(job_details)
+
+    tio_status = ["ERROR", "CANCELLED"]
+    if job_details["status"] not in tio_status:
+        try:
+            job_details["exportJobId"] = export_job_id
+            job_details["start_time"] = start_time
+            send_chunks_to_queue(job_details)
+        except Exception as err:
+            logging.warning("error while sending chunks to queue")
+            logging.warning(job_details)
+            logging.warning(err)
+
+    return job_details
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json
new file mode 100644
index 00000000000..3d1786e7411
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json	
@@ -0,0 +1,10 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "name": "exportJob",
+      "type": "activityTrigger",
+      "direction": "in"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py
index ce9f5f165fd..7154f73ac95 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py	
@@ -1,32 +1,37 @@
 import logging
 import os
-from datetime import datetime, timedelta, timezone
+from datetime import datetime, timezone
 from ..exports_store import ExportsTableStore, ExportsTableNames
 from ..exports_queue import ExportsQueue, ExportsQueueNames
 
 import azure.functions as func
 import azure.durable_functions as df
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 stats_table_name = ExportsTableNames.TenableExportStatsTable.value
 assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value
 vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value
+checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value
 assets_queue_name = ExportsQueueNames.TenableAssetExportsQueue.value
 vuln_queue_name = ExportsQueueNames.TenableVulnExportsQueue.value
+compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value
+compliance_queue_name = ExportsQueueNames.TenableComplianceExportsQueue.value
+ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False
 
-orchestrator_function_name = 'TenableExportsOrchestrator'
-cleanup_orchestrator_function_name = 'TenableCleanUpOrchestrator'
+
+orchestrator_function_name = "TenableExportsOrchestrator"
+cleanup_orchestrator_function_name = "TenableCleanUpOrchestrator"
 
 
 async def start_new_orchestrator(client, is_first_run=False):
     stats_table = ExportsTableStore(connection_string, stats_table_name)
     if is_first_run:
-        instance_id = await client.start_new(orchestrator_function_name, None, {'isFirstRun': True})
+        instance_id = await client.start_new(orchestrator_function_name, None, {"isFirstRun": True})
     else:
-        instance_id = await client.start_new(orchestrator_function_name, None, {'isFirstRun': False})
+        instance_id = await client.start_new(orchestrator_function_name, None, {"isFirstRun": False})
     logging.info(f"Started orchestration with ID = '{instance_id}'.")
-    stats_table.merge('main', 'current', {
-        'exportsInstanceId': instance_id
+    stats_table.merge("main", "current", {
+        "exportsInstanceId": instance_id
     })
     return instance_id
 
@@ -35,23 +40,30 @@ async def start_new_cleanup_orchestrator(client):
     stats_table = ExportsTableStore(connection_string, stats_table_name)
     instance_id = await client.start_new(cleanup_orchestrator_function_name, None, None)
     logging.info(f"Started clean up orchestration with ID = '{instance_id}'.")
-    stats_table.merge('main', 'current', {
-        'cleanupInstanceId': instance_id
+    stats_table.merge("main", "current", {
+        "cleanupInstanceId": instance_id
     })
     return instance_id
 
 
 def first_run_setup():
-    logging.info('First run detected...')
-    logging.info('Setting up the following resources:')
+    logging.info("First run detected...")
+    logging.info("Setting up the following resources:")
     logging.info(stats_table_name)
     logging.info(assets_export_table_name)
     logging.info(vuln_export_table_name)
+    logging.info(checkpoint_table_name)
     logging.info(assets_queue_name)
     logging.info(vuln_queue_name)
+    if ingest_compliance_data:
+        logging.info(compliance_export_table_name)
+        logging.info(compliance_queue_name)
     stats_table = ExportsTableStore(connection_string, stats_table_name)
     stats_table.create()
 
+    checkpoint_table = ExportsTableStore(connection_string, checkpoint_table_name)
+    checkpoint_table.create()
+
     asesets_table = ExportsTableStore(
         connection_string, assets_export_table_name)
     asesets_table.create()
@@ -65,72 +77,84 @@ def first_run_setup():
     vuln_queue = ExportsQueue(connection_string, vuln_queue_name)
     vuln_queue.create()
 
-    stats_table.post('main', 'current', {
-        'exportsInstanceId': '',
-        'cleanupInstanceId': '',
-        'isFirstRun': False
+    compliance_table = ExportsTableStore(connection_string, compliance_export_table_name)
+    compliance_table.create()
+
+    compliance_queue = ExportsQueue(connection_string, compliance_queue_name)
+    compliance_queue.create()
+
+    stats_table.post("main", "current", {
+        "exportsInstanceId": "",
+        "cleanupInstanceId": "",
+        "isFirstRun": False
     })
+
+    checkpoint_table.post("assets", "timestamp", {"assets_timestamp": 0})
+
+    checkpoint_table.post("vulns", "timestamp", {"vulns_timestamp": 0})
+
+    checkpoint_table.post("compliance", "timestamp", {"compliance_timestamp": 0})
     return
 
 
 async def main(mytimer: func.TimerRequest, starter: str) -> None:
     utc_timestamp = datetime.utcnow().replace(
         tzinfo=timezone.utc).isoformat()
-    logging.info('Python timer trigger function ran at %s', utc_timestamp)
+    logging.info("Python timer trigger function ran at %s", utc_timestamp)
 
     client = df.DurableOrchestrationClient(starter)
 
     store = ExportsTableStore(
         connection_string=connection_string, table_name=stats_table_name)
-    logging.info('looking in table storage for running instance')
-    job_info = store.get('main', 'current')
-    logging.info('results from table storage:')
+    logging.info("looking in table storage for running instance")
+    job_info = store.get("main", "current")
+    logging.info("results from table storage:")
     logging.info(job_info)
 
     if job_info is not None:
-        logging.info('checking if an existing instance was found...')
-        singleton_instance_id = job_info['exportsInstanceId'] if 'exportsInstanceId' in job_info else ''
-        logging.info(f'exports instance id value: {singleton_instance_id}')
-        if not singleton_instance_id == '':
+        logging.info("checking if an existing instance was found...")
+        singleton_instance_id = job_info["exportsInstanceId"] if "exportsInstanceId" in job_info else ""
+        logging.info(f"exports instance id value: {singleton_instance_id}")
+        if not singleton_instance_id == "":
             logging.info(
-                f'Located an existing orchestrator instance: {singleton_instance_id}')
+                f"Located an existing orchestrator instance: {singleton_instance_id}")
             existing_instance = await client.get_status(singleton_instance_id)
             logging.info(existing_instance)
             logging.info(existing_instance.runtime_status)
 
             if existing_instance is None or existing_instance.runtime_status in [df.OrchestrationRuntimeStatus.Completed, df.OrchestrationRuntimeStatus.Failed, df.OrchestrationRuntimeStatus.Terminated, None]:
                 new_instance_id = await start_new_orchestrator(client)
-                logging.info(f'started new instance -- {new_instance_id}')
+                logging.info(f"started new instance -- {new_instance_id}")
             else:
                 logging.info(
-                    'Export job is already currently running. Will try again later.')
+                    "Export job is already currently running. Will try again later.")
         else:
-            logging.info('not a first run, but no instance id found yet.')
-            logging.info('starting new instance id.')
+            logging.info("not a first run, but no instance id found yet.")
+            logging.info("starting new instance id.")
             new_instance_id = await start_new_orchestrator(client)
-            logging.info(f'started new instance -- {new_instance_id}')
+            logging.info(f"started new instance -- {new_instance_id}")
 
-        logging.info('checking for an existing cleanup instance was found...')
-        cleanup_singleton_instance_id = job_info['cleanupInstanceId'] if 'cleanupInstanceId' in job_info else ''
-        if not cleanup_singleton_instance_id == '':
+        logging.info("checking for an existing cleanup instance was found...")
+        cleanup_singleton_instance_id = job_info["cleanupInstanceId"] if "cleanupInstanceId" in job_info else ""
+        if not cleanup_singleton_instance_id == "":
             logging.info(
-                f'Located an existing cleanup orchestrator instance: {cleanup_singleton_instance_id}')
+                f"Located an existing cleanup orchestrator instance: {cleanup_singleton_instance_id}")
             existing_cleanup_instance = await client.get_status(cleanup_singleton_instance_id)
             logging.info(existing_cleanup_instance)
             logging.info(existing_cleanup_instance.runtime_status)
             if existing_cleanup_instance is None or existing_cleanup_instance.runtime_status in [df.OrchestrationRuntimeStatus.Completed, df.OrchestrationRuntimeStatus.Failed, df.OrchestrationRuntimeStatus.Terminated, None]:
                 new_cleanup_instance_id = await start_new_cleanup_orchestrator(client)
                 logging.info(
-                    f'started new instance -- {new_cleanup_instance_id}')
+                    f"started new instance -- {new_cleanup_instance_id}")
             else:
                 logging.info(
-                    'Cleanup job is already currently running. Will try again later.')
+                    "Cleanup job is already currently running. Will try again later.")
         else:
             logging.info(
-                'not a first run, but no cleanup instance id found yet.')
-            logging.info('starting new cleanup instance id.')
+                "not a first run, but no cleanup instance id found yet.")
+            logging.info("starting new cleanup instance id.")
             cleanup_new_instance_id = await start_new_cleanup_orchestrator(client)
-            logging.info(f'started new instance -- {cleanup_new_instance_id}')
+            logging.info(f"started new instance -- {cleanup_new_instance_id}")
     else:
         first_run_setup()
         await start_new_orchestrator(client, True)
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py
index 493fc620c3d..b3340e07ae1 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py	
@@ -1,122 +1,200 @@
 import logging
 import os
-from datetime import timedelta, datetime, timezone
+from datetime import timedelta
+import time
 
-import azure.functions as func
 import azure.durable_functions as df
 
 from ..exports_store import ExportsTableStore, ExportsTableNames
 from ..tenable_helper import TenableStatus, TenableExportType
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
+ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False
 stats_table_name = ExportsTableNames.TenableExportStatsTable.value
+checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value
 export_schedule_minutes = int(
-    os.getenv('TenableExportScheduleInMinutes', '1440'))
-start_asset_job_name = 'TenableStartAssetExportJob'
-start_vuln_job_name = 'TenableStartVulnExportJob'
-asset_orchestrator_name = 'TenableAssetExportOrchestrator'
-vuln_orchestrator_name = 'TenableVulnExportOrchestrator'
+    os.getenv("TenableExportScheduleInMinutes", "1440"))
+start_asset_job_name = "TenableStartAssetExportJob"
+start_vuln_job_name = "TenableStartVulnExportJob"
+asset_orchestrator_name = "TenableAssetExportOrchestrator"
+vuln_orchestrator_name = "TenableVulnExportOrchestrator"
+start_compliance_job_name = "TenableStartComplianceExportJob"
+compliance_orchestrator_name = "TenableComplianceExportOrchestrator"
 
 
+
+def process_compliance_data(results, stats_store):
+    """Process compliance data and update Stats table.
+
+    Args:
+        results (list): Results of sub-orchestrator calls.
+        stats_store (ExportsTableStore): Object of Stats table to be updated.
+    """
+    try:
+        compliance_job_finished = results[2]
+        compliance_id = compliance_job_finished["id"] if "id" in compliance_job_finished else ""
+        chunks = compliance_job_finished["chunks"] if "chunks" in compliance_job_finished else [
+        ]
+        chunk_ids = ",".join(str(c) for c in chunks)
+        if compliance_id != "":
+            stats_store.merge(compliance_id, "prime", {
+                "status": TenableStatus.finished.value,
+                "chunks": chunk_ids,
+                "totalChunksCount": len(chunks)
+            })
+    except IndexError as e:
+        logging.warning("compliance job returned no results")
+        logging.warning(e)
+
 def orchestrator_function(context: df.DurableOrchestrationContext):
-    logging.info('started main orchestrator')
+    logging.info("started main orchestrator")
     logging.info(
-        f'instance id: f{context.instance_id} at {context.current_utc_datetime}')
+        f"instance id: f{context.instance_id} at {context.current_utc_datetime}")
     first_run = context.get_input()
-    if first_run is not None and 'isFirstRun' in first_run and first_run['isFirstRun'] == True:
-        filter_by_time = 0
+    if first_run is not None and "isFirstRun" in first_run and first_run["isFirstRun"]:
+        assets_timestamp = 0
+        vulns_timestamp = 0
+        compliance_timestamp = 0
     else:
-        filter_by_time = int(
-            (datetime.now(timezone.utc) - timedelta(minutes=export_schedule_minutes)).timestamp())
-    logging.info('filter by time: %d', filter_by_time)
+        checkpoint_store = ExportsTableStore(connection_string, checkpoint_table_name)
+        assets_timestamp = checkpoint_store.get("assets", "timestamp").get("assets_timestamp", 0)
+        vulns_timestamp = checkpoint_store.get("vulns", "timestamp").get("vulns_timestamp", 0)
+        compliance_timestamp = checkpoint_store.get("compliance", "timestamp").get("compliance_timestamp", 0)
 
-    stats_store = ExportsTableStore(connection_string, stats_table_name)
+    logging.info("checkpoint timestamp value for assets: %d", assets_timestamp)
+    logging.info("checkpoint timestamp value for vulns: %d", vulns_timestamp)
 
-    asset_export_job_id = yield context.call_activity(start_asset_job_name, filter_by_time)
-    logging.info('retrieved a new asset job ID')
-    logging.warn(
-        f'instance id: f{context.instance_id} working with asset export job {asset_export_job_id}, sending to sub orchestrator')
-
-    stats_store.merge(asset_export_job_id, 'prime', {
-        'status': TenableStatus.processing.value,
-        'exportType': TenableExportType.asset.value,
-        'failedChunks': '',
-        'chunks': '',
-        'totalChunksCount': 0,
-        'jobTimestamp': filter_by_time,
-        'startedAt': context.current_utc_datetime.timestamp()
+    stats_store = ExportsTableStore(connection_string, stats_table_name)
+    asset_start_time = int(time.time())
+    asset_export_job_id = yield context.call_activity(start_asset_job_name, assets_timestamp)
+    logging.info("retrieved a new asset job ID")
+    logging.warning(
+        f"instance id: f{context.instance_id} working with asset export job {asset_export_job_id}, sending to sub orchestrator")
+
+    stats_store.merge(asset_export_job_id, "prime", {
+        "status": TenableStatus.processing.value,
+        "exportType": TenableExportType.asset.value,
+        "failedChunks": "",
+        "chunks": "",
+        "totalChunksCount": 0,
+        "jobTimestamp": assets_timestamp,
+        "startedAt": context.current_utc_datetime.timestamp()
     })
     logging.info(
-        f'saved {asset_export_job_id} to stats table. moving to start vuln job.')
-
-    vuln_export_job_id = yield context.call_activity(start_vuln_job_name, filter_by_time)
-    logging.info('retrieved a new vuln job ID')
-    logging.warn(
-        f'instance id: f{context.instance_id} working with vuln export job {vuln_export_job_id}, sending to sub orchestrator')
-
-    stats_store.merge(vuln_export_job_id, 'prime', {
-        'status': TenableStatus.processing.value,
-        'exportType': TenableExportType.vuln.value,
-        'failedChunks': '',
-        'chunks': '',
-        'totalChunksCount': 0,
-        'jobTimestamp': filter_by_time,
-        'startedAt': context.current_utc_datetime.timestamp()
+        f"saved {asset_export_job_id} to stats table. moving to start vuln job.")
+    vulns_start_time = int(time.time())
+    vuln_export_job_id = yield context.call_activity(start_vuln_job_name, vulns_timestamp)
+    logging.info("retrieved a new vuln job ID")
+    logging.warning(
+        f"instance id: f{context.instance_id} working with vuln export job {vuln_export_job_id}, sending to sub orchestrator")
+
+    stats_store.merge(vuln_export_job_id, "prime", {
+        "status": TenableStatus.processing.value,
+        "exportType": TenableExportType.vuln.value,
+        "failedChunks": "",
+        "chunks": "",
+        "totalChunksCount": 0,
+        "jobTimestamp": vulns_timestamp,
+        "startedAt": context.current_utc_datetime.timestamp()
     })
 
+    if ingest_compliance_data:
+        compliance_start_time = int(time.time())
+        compliance_export_job_id = yield context.call_activity(start_compliance_job_name, compliance_timestamp)
+        logging.info("retrieved a new compliance job ID")
+        logging.warning(
+            "instance id: {} working with compliance export job {}, sending to sub orchestrator".format(
+                context.instance_id, compliance_export_job_id
+            )
+        )
+
+        logging.info("filter by time for compliance: %d", compliance_timestamp)
+        stats_store.merge(compliance_export_job_id, "prime", {
+            "status": TenableStatus.processing.value,
+            "exportType": TenableExportType.compliance.value,
+            "failedChunks": "",
+            "chunks": "",
+            "totalChunksCount": 0,
+            "jobTimestamp": compliance_timestamp,
+            "startedAt": context.current_utc_datetime.timestamp()
+        })
+        logging.info(
+            "saved {} to stats table.".format(compliance_export_job_id))
+    else:
+        logging.info("User opted not to ingest compliance data. Skipping compliance export job")
     asset_export = context.call_sub_orchestrator(asset_orchestrator_name, {
-        'timestamp': filter_by_time,
-        'assetJobId': asset_export_job_id,
-        'mainOrchestratorInstanceId': context.instance_id
+        "timestamp": assets_timestamp,
+        "assetJobId": asset_export_job_id,
+        "mainOrchestratorInstanceId": context.instance_id,
+        "start_time": asset_start_time
     })
-    stats_store.merge(asset_export_job_id, 'prime', {
-        'status': TenableStatus.sent_to_sub_orchestrator.value
+    stats_store.merge(asset_export_job_id, "prime", {
+        "status": TenableStatus.sent_to_sub_orchestrator.value
     })
 
     vuln_export = context.call_sub_orchestrator(vuln_orchestrator_name, {
-        'timestamp': filter_by_time,
-        'vulnJobId': vuln_export_job_id,
-        'mainOrchestratorInstanceId': context.instance_id
+        "timestamp": vulns_timestamp,
+        "vulnJobId": vuln_export_job_id,
+        "mainOrchestratorInstanceId": context.instance_id,
+        "start_time": vulns_start_time
     })
-    stats_store.merge(vuln_export_job_id, 'prime', {
-        'status': TenableStatus.sent_to_sub_orchestrator.value
+    stats_store.merge(vuln_export_job_id, "prime", {
+        "status": TenableStatus.sent_to_sub_orchestrator.value
     })
 
-    results = yield context.task_all([asset_export, vuln_export])
-    logging.info('Finished both jobs!')
+    if ingest_compliance_data:
+        compliance_export = context.call_sub_orchestrator(compliance_orchestrator_name, {
+            "timestamp": compliance_timestamp,
+            "complianceJobId": compliance_export_job_id,
+            "mainOrchestratorInstanceId": context.instance_id,
+            "start_time": compliance_start_time
+        })
+        stats_store.merge(compliance_export_job_id, "prime", {
+            "status": TenableStatus.sent_to_sub_orchestrator.value
+        })
+
+        results = yield context.task_all([asset_export, vuln_export, compliance_export])
+    else:
+        logging.info("User opted not to ingest compliance data. Skipping compliance export sub orchestrator call.")
+        results = yield context.task_all([asset_export, vuln_export])
+    logging.info("Finished all jobs!")
     logging.info(results)
 
     try:
         asset_job_finished = results[0]
-        asset_id = asset_job_finished['id'] if 'id' in asset_job_finished else ''
-        chunks = asset_job_finished['chunks'] if 'chunks' in asset_job_finished else [
+        asset_id = asset_job_finished["id"] if "id" in asset_job_finished else ""
+        chunks = asset_job_finished["chunks"] if "chunks" in asset_job_finished else [
         ]
-        chunk_ids = ','.join(str(c) for c in chunks)
-        if asset_id != '':
-            stats_store.merge(asset_id, 'prime', {
-                'status': TenableStatus.finished.value,
-                'chunks': chunk_ids,
-                'totalChunksCount': len(chunks)
+        chunk_ids = ",".join(str(c) for c in chunks)
+        if asset_id != "":
+            stats_store.merge(asset_id, "prime", {
+                "status": TenableStatus.finished.value,
+                "chunks": chunk_ids,
+                "totalChunksCount": len(chunks)
             })
     except IndexError as e:
-        logging.warn('asset job returned no results')
-        logging.warn(e)
+        logging.warning("asset job returned no results")
+        logging.warning(e)
 
     try:
         vuln_job_finished = results[1]
-        vuln_id = vuln_job_finished['id'] if 'id' in vuln_job_finished else ''
-        chunks = vuln_job_finished['chunks'] if 'chunks' in vuln_job_finished else [
+        vuln_id = vuln_job_finished["id"] if "id" in vuln_job_finished else ""
+        chunks = vuln_job_finished["chunks"] if "chunks" in vuln_job_finished else [
         ]
-        chunk_ids = ','.join(str(c) for c in chunks)
-        if vuln_id != '':
-            stats_store.merge(vuln_id, 'prime', {
-                'status': TenableStatus.finished.value,
-                'chunks': chunk_ids,
-                'totalChunksCount': len(chunks)
+        chunk_ids = ",".join(str(c) for c in chunks)
+        if vuln_id != "":
+            stats_store.merge(vuln_id, "prime", {
+                "status": TenableStatus.finished.value,
+                "chunks": chunk_ids,
+                "totalChunksCount": len(chunks)
             })
     except IndexError as e:
-        logging.warn('vuln job returned no results')
-        logging.warn(e)
+        logging.warning("vuln job returned no results")
+        logging.warning(e)
+
+    # condition to process compliance job data only if user opted for it
+    if ingest_compliance_data:
+        process_compliance_data(results, stats_store)
 
     next_check = context.current_utc_datetime + \
         timedelta(minutes=export_schedule_minutes)
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py
index 666afa8e22d..f599dc7906e 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py	
@@ -5,10 +5,12 @@
 
 from ..exports_store import ExportsTableStore, ExportsTableNames
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 stats_table_name = ExportsTableNames.TenableExportStatsTable.value
 assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value
 vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value
+compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value
+ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False
 
 
 def generate_finished_stats(table_client: ExportsTableStore, stats_table: ExportsTableStore):
@@ -17,36 +19,36 @@ def generate_finished_stats(table_client: ExportsTableStore, stats_table: Export
 
     for fc in finished_chunks:
         logging.info(fc)
-        job_id = fc['PartitionKey']
-        chunk_id = fc['RowKey']
-        if not fc['PartitionKey'] in jobs_with_finished_chunks:
+        job_id = fc["PartitionKey"]
+        chunk_id = fc["RowKey"]
+        if not fc["PartitionKey"] in jobs_with_finished_chunks:
             jobs_with_finished_chunks[job_id] = {
-                'chunks': [chunk_id]
+                "chunks": [chunk_id]
             }
         else:
-            jobs_with_finished_chunks[job_id]['chunks'].append(chunk_id)
+            jobs_with_finished_chunks[job_id]["chunks"].append(chunk_id)
 
     for job_id in jobs_with_finished_chunks.keys():
-        logging.info(f'sending finished stats for {job_id}')
-        job = stats_table.get(job_id, 'prime')
-        existing_finished_chunks = job['finishedChunks'] if 'finishedChunks' in job else ''
+        logging.info(f"sending finished stats for {job_id}")
+        job = stats_table.get(job_id, "prime")
+        existing_finished_chunks = job["finishedChunks"] if "finishedChunks" in job else ""
 
-        ids = list(filter(None, existing_finished_chunks.split(',')))
-        to_add_ids = jobs_with_finished_chunks[job_id]['chunks']
+        ids = list(filter(None, existing_finished_chunks.split(",")))
+        to_add_ids = jobs_with_finished_chunks[job_id]["chunks"]
 
-        logging.info(f'checking existing ids: {ids}')
+        logging.info(f"checking existing ids: {ids}")
         if sorted(ids) == sorted(to_add_ids):
-            logging.info('nothing to update here')
+            logging.info("nothing to update here")
             continue
         else:
             chunk_ids = list(set(ids) | set(to_add_ids))
-            chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids)
+            chunk_ids_comma_list = ",".join(str(c) for c in chunk_ids)
 
-        logging.info(f'adding in these chunks {chunk_ids} to finished list')
+        logging.info(f"adding in these chunks {chunk_ids} to finished list")
         chunk_count = len(chunk_ids)
-        result = stats_table.merge(job_id, 'prime', {
-            'finishedChunks': chunk_ids_comma_list,
-            'finishedChunkCount': chunk_count
+        result = stats_table.merge(job_id, "prime", {
+            "finishedChunks": chunk_ids_comma_list,
+            "finishedChunkCount": chunk_count
         })
         logging.info(result)
 
@@ -57,50 +59,50 @@ def generate_processing_stats(table_client: ExportsTableStore, stats_table: Expo
 
     for pc in processing_chunks:
         logging.info(pc)
-        job_id = pc['PartitionKey']
-        chunk_id = pc['RowKey']
-        if not pc['PartitionKey'] in jobs_with_processing_chunks:
+        job_id = pc["PartitionKey"]
+        chunk_id = pc["RowKey"]
+        if not pc["PartitionKey"] in jobs_with_processing_chunks:
             jobs_with_processing_chunks[job_id] = {
-                'chunks': [chunk_id]
+                "chunks": [chunk_id]
             }
         else:
-            jobs_with_processing_chunks[job_id]['chunks'].append(chunk_id)
+            jobs_with_processing_chunks[job_id]["chunks"].append(chunk_id)
 
     for job_id in jobs_with_processing_chunks.keys():
-        logging.info(f'sending processing stats for {job_id}')
-        job = stats_table.get(job_id, 'prime')
-        existing_processing_chunks = job['processingChunks'] if 'processingChunks' in job else ''
-        existing_finished_chunks = job['finishedChunks'] if 'finishedChunks' in job else ''
-        existing_failed_chunks = job['failedChunks'] if 'failedChunks' in job else ''
-
-        finished_ids = list(filter(None, existing_finished_chunks.split(',')))
-        failed_ids = list(filter(None, existing_failed_chunks.split(',')))
+        logging.info(f"sending processing stats for {job_id}")
+        job = stats_table.get(job_id, "prime")
+        existing_processing_chunks = job["processingChunks"] if "processingChunks" in job else ""
+        existing_finished_chunks = job["finishedChunks"] if "finishedChunks" in job else ""
+        existing_failed_chunks = job["failedChunks"] if "failedChunks" in job else ""
+
+        finished_ids = list(filter(None, existing_finished_chunks.split(",")))
+        failed_ids = list(filter(None, existing_failed_chunks.split(",")))
         processing_ids = list(
-            filter(None, existing_processing_chunks.split(',')))
-        to_add_ids = jobs_with_processing_chunks[job_id]['chunks']
+            filter(None, existing_processing_chunks.split(",")))
+        to_add_ids = jobs_with_processing_chunks[job_id]["chunks"]
 
         chunk_ids = list((set(processing_ids) | set(to_add_ids)
                           ) - set(finished_ids) - set(failed_ids))
         chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids)
 
-        logging.info(f'adding in these chunks {chunk_ids} to processing list')
+        logging.info(f"adding in these chunks {chunk_ids} to processing list")
         update_job = {}
         chunk_count = len(chunk_ids)
         if chunk_count > 0:
-            started_at = job['startedAt'] if 'startedAt' in job else 0
+            started_at = job["startedAt"] if "startedAt" in job else 0
             if started_at == 0:
-                update_job.update({'startedAt': datetime.now().timestamp()})
+                update_job.update({"startedAt": datetime.now().timestamp()})
             else:
                 started_at_time = datetime.fromtimestamp(
                     started_at) + timedelta(days=3)
                 if started_at_time < datetime.now():
-                    update_job.update({'status': TenableStatus.failed.value})
+                    update_job.update({"status": TenableStatus.failed.value})
 
         update_job.update({
-            'processingChunks': chunk_ids_comma_list,
-            'processingChunkCount': chunk_count
+            "processingChunks": chunk_ids_comma_list,
+            "processingChunkCount": chunk_count
         })
-        result = stats_table.merge(job_id, 'prime', update_job)
+        result = stats_table.merge(job_id, "prime", update_job)
         logging.info(result)
 
 
@@ -110,41 +112,41 @@ def generate_failed_stats(table_client: ExportsTableStore, stats_table: ExportsT
 
     for fc in failed_chunks:
         logging.info(fc)
-        job_id = fc['PartitionKey']
-        chunk_id = fc['RowKey']
-        if not fc['PartitionKey'] in jobs_with_failed_chunks:
+        job_id = fc["PartitionKey"]
+        chunk_id = fc["RowKey"]
+        if not fc["PartitionKey"] in jobs_with_failed_chunks:
             jobs_with_failed_chunks[job_id] = {
-                'chunks': [chunk_id], 'failedCount': 1}
+                "chunks": [chunk_id], "failedCount": 1}
         else:
-            jobs_with_failed_chunks[job_id]['chunks'].append(chunk_id)
-            jobs_with_failed_chunks[job_id]['failedCount'] += 1
+            jobs_with_failed_chunks[job_id]["chunks"].append(chunk_id)
+            jobs_with_failed_chunks[job_id]["failedCount"] += 1
 
     for job_id in jobs_with_failed_chunks.keys():
-        logging.info(f'sending failure stats for {job_id}')
-        job = stats_table.get(job_id, 'prime')
-        existing_failed_chunks = job['failedChunks'] if 'failedChunks' in job else ''
+        logging.info(f"sending failure stats for {job_id}")
+        job = stats_table.get(job_id, "prime")
+        existing_failed_chunks = job["failedChunks"] if "failedChunks" in job else ""
 
-        ids = list(filter(None, existing_failed_chunks.split(',')))
-        to_add_ids = jobs_with_failed_chunks[job_id]['chunks']
+        ids = list(filter(None, existing_failed_chunks.split(",")))
+        to_add_ids = jobs_with_failed_chunks[job_id]["chunks"]
 
-        logging.info(f'checking existing ids: {ids}')
+        logging.info(f"checking existing ids: {ids}")
         if sorted(ids) == sorted(to_add_ids):
-            logging.info('nothing to update here')
+            logging.info("nothing to update here")
             continue
         else:
             chunk_ids = list(set(ids) | set(to_add_ids))
-            chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids)
+            chunk_ids_comma_list = ",".join(str(c) for c in chunk_ids)
 
-        logging.info(f'adding in these chunks {chunk_ids} to failure list')
+        logging.info(f"adding in these chunks {chunk_ids} to failure list")
         update_job = {}
         chunk_count = len(chunk_ids)
 
         if chunk_count > 0:
-            update_job['status'] = TenableStatus.failed.value
+            update_job["status"] = TenableStatus.failed.value
 
         update_job.update({
-            'failedChunks': chunk_ids_comma_list,
-            'failedChunkCount': chunk_count
+            "failedChunks": chunk_ids_comma_list,
+            "failedChunkCount": chunk_count
         })
         result = stats_table.merge(job_id, 'prime', update_job)
         logging.info(result)
@@ -152,9 +154,9 @@ def generate_failed_stats(table_client: ExportsTableStore, stats_table: ExportsT
 
 def main(name) -> str:
     stats_table = ExportsTableStore(connection_string, stats_table_name)
-    assets_table = ExportsTableStore(
-        connection_string, assets_export_table_name)
+    assets_table = ExportsTableStore(connection_string, assets_export_table_name)
     vuln_table = ExportsTableStore(connection_string, vuln_export_table_name)
+    compliance_table = ExportsTableStore(connection_string, compliance_export_table_name)
 
     generate_finished_stats(assets_table, stats_table)
     generate_finished_stats(vuln_table, stats_table)
@@ -164,4 +166,9 @@ def main(name) -> str:
 
     generate_processing_stats(assets_table, stats_table)
     generate_processing_stats(vuln_table, stats_table)
+
+    if ingest_compliance_data:
+        generate_finished_stats(compliance_table, stats_table)
+        generate_failed_stats(compliance_table, stats_table)
+        generate_processing_stats(compliance_table, stats_table)
     return True
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py
index 6b127366cd8..b7f946ce197 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py	
@@ -9,77 +9,91 @@
 from ..tenable_helper import TenableIO, TenableStatus, TenableChunkPartitioner
 from tenable.errors import APIError
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 assets_table_name = ExportsTableNames.TenableAssetExportTable.value
-workspace_id = os.environ['WorkspaceID']
-workspace_key = os.environ['WorkspaceKey']
-log_analytics_uri = os.getenv('LogAnalyticsUri', '')
-log_type = 'Tenable_VM_Assets_CL'
+checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value
+workspace_id = os.environ["WorkspaceID"]
+workspace_key = os.environ["WorkspaceKey"]
+log_analytics_uri = os.getenv("LogAnalyticsUri", "")
+log_type = "Tenable_VM_Assets_CL"
 
 
 def main(msg: func.QueueMessage) -> None:
-    logging.info('Python queue trigger function processed a queue item: %s',
-                 msg.get_body().decode('utf-8'))
-    decoded_message = msg.get_body().decode('utf-8')
+    logging.info("Python queue trigger function processed a queue item: %s",
+                 msg.get_body().decode("utf-8"))
+    decoded_message = msg.get_body().decode("utf-8")
     assets_table = ExportsTableStore(connection_string, assets_table_name)
 
     try:
         export_job_details = json.loads(decoded_message)
-        export_job_id = export_job_details.get('exportJobId', '')
-        chunk_id = export_job_details.get('chunkId', '')
+        export_job_id = export_job_details.get("exportJobId", "")
+        chunk_id = export_job_details.get("chunkId", "")
+        start_time = export_job_details.get("startTime", 0)
+        update_checkpoint = export_job_details.get("updateCheckpoint", False)
 
-        if export_job_id == '' or chunk_id == '':
-            logging.warn('missing information to process a chunk')
-            logging.warn(f'message sent - {decoded_message}')
+        if export_job_id == "" or chunk_id == "":
+            logging.warning("missing information to process a chunk")
+            logging.warning(f"message sent - {decoded_message}")
             raise Exception(
-                f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}')
+                "cannot process without export job ID and chunk ID -- "
+                "found job ID {} - chunk ID {}".format(export_job_id, chunk_id)
+            )
         else:
             logging.info(
-                'using pyTenable client to download asset export job chunk')
+                "using pyTenable client to download asset export job chunk")
             logging.info(
-                f'downloading chunk at assets/{export_job_id}/chunks/{chunk_id}')
+                f"downloading chunk at assets/{export_job_id}/chunks/{chunk_id}")
             tio = TenableIO()
             try:
-                chunk = tio.exports.chunk('assets', export_job_id, chunk_id)
+                chunk = tio.exports.chunk("assets", export_job_id, chunk_id)
                 logging.info(
-                    f'received a response from assets/{export_job_id}/chunks/{chunk_id}')
+                    f"received a response from assets/{export_job_id}/chunks/{chunk_id}")
 
-                # limiting individual chunk uploaded to sentinel to be < 30 MB size.
-                sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk)
+                if len(chunk) == 0:
+                    logging.info("No data found in chunk, chunk_id: {}, job_id: {}".format(chunk_id, export_job_id))
+                else:
+                    # limiting individual chunk uploaded to sentinel to be < 30 MB size.
+                    sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk)
 
-                for sub_chunk in sub_chunks:
-                    serialized_sub_chunk = json.dumps(sub_chunk)
+                    for sub_chunk in sub_chunks:
+                        serialized_sub_chunk = json.dumps(sub_chunk)
 
-                    logging.info('Uploading sub-chunk with size: %d', len(serialized_sub_chunk))
+                        logging.info("Uploading sub-chunk with size: %d", len(serialized_sub_chunk))
 
-                    # Send to Azure Sentinel here
-                    az_sentinel = AzureSentinel(
-                        workspace_id, workspace_key, log_type, log_analytics_uri)
+                        # Send to Azure Sentinel here
+                        az_sentinel = AzureSentinel(
+                            workspace_id, workspace_key, log_type, log_analytics_uri)
 
-                    az_code = az_sentinel.post_data(serialized_sub_chunk)
+                        az_code = az_sentinel.post_data(serialized_sub_chunk)
 
-                    logging.warning(
-                        f'Azure Sentinel reports the following status code: {az_code}')
+                        logging.warning(
+                            f"Azure Sentinel reports the following status code: {az_code}")
 
                 assets_table.update_if_found(export_job_id, str(chunk_id), {
-                    'jobStatus': TenableStatus.finished.value
+                    "jobStatus": TenableStatus.finished.value
                 })
+                if update_checkpoint:
+                    logging.info("Updating Assets checkpoint to value: {}".format(start_time))
+                    checkpoint_table = ExportsTableStore(connection_string, checkpoint_table_name)
+                    checkpoint_table.merge("assets", "timestamp", {
+                        "assets_timestamp": start_time
+                    })
             except APIError as e:
-                logging.warn(
-                    f'Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}')
+                logging.warning(
+                    f"Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}")
                 assets_table.update_if_found(export_job_id, str(chunk_id), {
-                    'jobStatus': TenableStatus.failed.value,
-                    'tenableFailedRequestId': e.uuid,
-                    'tenableFailedRequestStatusCode': e.code
+                    "jobStatus": TenableStatus.failed.value,
+                    "tenableFailedRequestId": e.uuid,
+                    "tenableFailedRequestStatusCode": e.code
                 })
                 raise Exception(
-                    f'Retrieving from Tenable failed with status code {e.code}')
+                    f"Retrieving from Tenable failed with status code {e.code}")
 
     except Exception as e:
         assets_table.update_if_found(export_job_id, str(chunk_id), {
-            'jobStatus': TenableStatus.failed.value
+            "jobStatus": TenableStatus.failed.value
         })
-        logging.warn(
-            f'there was an error processing chunks. message sent - {decoded_message}')
-        logging.warn(e)
+        logging.warning(
+            f"there was an error processing chunks. message sent - {decoded_message}")
+        logging.warning(e)
         raise e
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py
new file mode 100644
index 00000000000..d6139aace77
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py	
@@ -0,0 +1,144 @@
+"""Queue trigger function for ingesting compliance export job chunks into Sentinel."""
+
+import json
+import logging
+import os
+
+import azure.functions as func
+
+from ..exports_store import ExportsTableStore, ExportsTableNames
+from ..azure_sentinel import AzureSentinel
+from ..tenable_helper import TenableIO, TenableStatus, TenableChunkPartitioner
+from tenable.errors import APIError
+
+connection_string = os.environ["AzureWebJobsStorage"]
+compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value
+checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value
+workspace_id = os.environ["WorkspaceID"]
+workspace_key = os.environ["WorkspaceKey"]
+log_analytics_uri = os.getenv("LogAnalyticsUri", "")
+log_type = "Tenable_VM_Compliance_CL"
+
+
+def main(msg: func.QueueMessage) -> None:
+    """Ingest compliance export job chunks into Sentinel."""
+    logging.info(
+        "Python queue trigger function processed a queue item: %s",
+        msg.get_body().decode("utf-8"),
+    )
+    decoded_message = msg.get_body().decode("utf-8")
+    compliance_table = ExportsTableStore(connection_string, compliance_table_name)
+
+    try:
+        export_job_details = json.loads(decoded_message)
+        export_job_id = export_job_details.get("exportJobId", "")
+        chunk_id = export_job_details.get("chunkId", "")
+        start_time = export_job_details.get("startTime", 0)
+        update_checkpoint = export_job_details.get("updateCheckpoint", False)
+
+        if export_job_id == "" or chunk_id == "":
+            logging.warning(
+                "missing information to process a chunk: message sent - {}".format(
+                    decoded_message
+                )
+            )
+            raise Exception(
+                "cannot process without export job ID and chunk ID -- found job ID {} - chunk ID {}".format(
+                    export_job_id, chunk_id
+                )
+            )
+        else:
+            logging.info(
+                "using pyTenable client to download compliance export job chunk"
+            )
+            logging.info(
+                "downloading chunk at compliance/{}/chunks/{}".format(
+                    export_job_id, chunk_id
+                )
+            )
+            tio = TenableIO()
+            try:
+                chunk = tio.exports.download_chunk(
+                    "compliance", export_job_id, chunk_id
+                )
+                logging.info(
+                    "received a response from compliance/{}/chunks/{}".format(
+                        export_job_id, chunk_id
+                    )
+                )
+                if len(chunk) == 0:
+                    logging.info(
+                        "No data found in chunk, chunk_id: {}, job_id: {}".format(
+                            chunk_id, export_job_id
+                        )
+                    )
+                else:
+                    # limiting individual chunk uploaded to sentinel to be < 30 MB size.
+                    sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk)
+
+                    for sub_chunk in sub_chunks:
+                        serialized_sub_chunk = json.dumps(sub_chunk)
+
+                        logging.info(
+                            "Uploading sub-chunk with size: %d",
+                            len(serialized_sub_chunk),
+                        )
+
+                        # Send to Azure Sentinel here
+                        az_sentinel = AzureSentinel(
+                            workspace_id, workspace_key, log_type, log_analytics_uri
+                        )
+
+                        az_code = az_sentinel.post_data(serialized_sub_chunk)
+
+                        logging.warning(
+                            f"Azure Sentinel reports the following status code: {az_code}"
+                        )
+
+                compliance_table.update_if_found(
+                    export_job_id,
+                    str(chunk_id),
+                    {"jobStatus": TenableStatus.finished.value},
+                )
+                if update_checkpoint:
+                    logging.info(
+                        "Updating Compliance checkpoint to value: {}".format(start_time)
+                    )
+                    checkpoint_table = ExportsTableStore(
+                        connection_string, checkpoint_table_name
+                    )
+                    checkpoint_table.merge(
+                        "compliance", "timestamp", {"compliance_timestamp": start_time}
+                    )
+            except APIError as api_err:
+                logging.warning(
+                    "Failure to retrieve compliance data from Tenable. Response code: {}"
+                    " Request ID: {} Export Job ID: {} Chunk ID: {}".format(
+                        api_err.code, api_err.uuid, export_job_id, chunk_id
+                    )
+                )
+                compliance_table.update_if_found(
+                    export_job_id,
+                    str(chunk_id),
+                    {
+                        "jobStatus": TenableStatus.failed.value,
+                        "tenableFailedRequestId": api_err.uuid,
+                        "tenableFailedRequestStatusCode": api_err.code,
+                    },
+                )
+                raise Exception(
+                    "Retrieving from Tenable failed with status code {}".format(
+                        api_err.code
+                    )
+                )
+
+    except Exception as err:
+        compliance_table.update_if_found(
+            export_job_id, str(chunk_id), {"jobStatus": TenableStatus.failed.value}
+        )
+        logging.warning(
+            "there was an error processing chunks: message sent - {}: error - {}".format(
+                decoded_message, err
+            )
+        )
+        raise err
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json
new file mode 100644
index 00000000000..75f49dcbbe6
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json	
@@ -0,0 +1,12 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "name": "msg",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "tenable-compliance-export-queue",
+      "connection": "AzureWebJobsStorage"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py
index aa13eba1f0b..cb8a6330264 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py	
@@ -6,37 +6,37 @@
 
 import azure.functions as func
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 assets_table_name = ExportsTableNames.TenableAssetExportTable.value
 
 
 def main(msg: func.QueueMessage) -> None:
-    logging.info('Python queue trigger function processed a queue item: %s',
-                 msg.get_body().decode('utf-8'))
-    decoded_message = msg.get_body().decode('utf-8')
+    logging.info("Python queue trigger function processed a queue item: %s",
+                 msg.get_body().decode("utf-8"))
+    decoded_message = msg.get_body().decode("utf-8")
 
     try:
         export_job_details = json.loads(decoded_message)
-        export_job_id = export_job_details['exportJobId'] if 'exportJobId' in export_job_details else ''
-        chunk_id = export_job_details['chunkId'] if 'chunkId' in export_job_details else ''
+        export_job_id = export_job_details["exportJobId"] if "exportJobId" in export_job_details else ""
+        chunk_id = export_job_details["chunkId"] if "chunkId" in export_job_details else ""
 
-        if export_job_id == '' or chunk_id == '':
-            logging.warn('missing information to process a chunk')
-            logging.warn(f'message sent - {decoded_message}')
-            logging.warn(
-                f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}')
-            logging.warn('Removing from asset poison queue')
+        if export_job_id == "" or chunk_id == "":
+            logging.warning("missing information to process a chunk")
+            logging.warning(f"message sent - {decoded_message}")
+            logging.warning(
+                f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}")
+            logging.warning("Removing from asset poison queue")
             return
 
         assets_table = ExportsTableStore(
             connection_string, assets_table_name)
         if assets_table.get(export_job_id, chunk_id) is not None:
             assets_table.merge(export_job_id, str(chunk_id), {
-                'jobStatus': TenableStatus.failed.value
+                "jobStatus": TenableStatus.failed.value
             })
         return
     except Exception as e:
-        logging.warn('Could not process job or chunk')
-        logging.warn(f'Raised this exception {e}')
-        logging.warn('Removing from asset poison queue')
+        logging.warning("Could not process job or chunk")
+        logging.warning(f"Raised this exception {e}")
+        logging.warning("Removing from asset poison queue")
         return
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py
new file mode 100644
index 00000000000..0f5e8188292
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py	
@@ -0,0 +1,59 @@
+"""Queue trigger function for processing failed compliance export job chunks."""
+
+import logging
+import os
+import json
+from ..exports_store import ExportsTableStore, ExportsTableNames
+from ..tenable_helper import TenableStatus
+
+import azure.functions as func
+
+connection_string = os.environ["AzureWebJobsStorage"]
+compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value
+
+
+def main(msg: func.QueueMessage) -> None:
+    """Process failed compliance export job chunks.
+
+    Args:
+        msg (func.QueueMessage): Queue message
+    """
+    logging.info(
+        "Python queue trigger compliance failure function processed a queue item: %s",
+        msg.get_body().decode("utf-8"),
+    )
+    decoded_message = msg.get_body().decode("utf-8")
+
+    try:
+        export_job_details = json.loads(decoded_message)
+        export_job_id = (
+            export_job_details["exportJobId"]
+            if "exportJobId" in export_job_details
+            else ""
+        )
+        chunk_id = (
+            export_job_details["chunkId"] if "chunkId" in export_job_details else ""
+        )
+
+        if export_job_id == "" or chunk_id == "":
+            logging.warning("missing information to process a chunk")
+            logging.warning("message sent - {}".format(decoded_message))
+            logging.warning(
+                "cannot process without export job ID and chunk ID -- found job ID {} - chunk ID {}".format(
+                    export_job_id, chunk_id
+                )
+            )
+            logging.warning("Removing from compliance poison queue")
+            return
+
+        compliance_table = ExportsTableStore(connection_string, compliance_table_name)
+        if compliance_table.get(export_job_id, chunk_id) is not None:
+            compliance_table.merge(
+                export_job_id, str(chunk_id), {"jobStatus": TenableStatus.failed.value}
+            )
+        return
+    except Exception as err:
+        logging.warning("Could not process job or chunk")
+        logging.warning("Raised this exception {}".format(err))
+        logging.warning("Removing from compliance poison queue")
+        return
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json
new file mode 100644
index 00000000000..7a89b985b0d
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json	
@@ -0,0 +1,12 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "name": "msg",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "tenable-compliance-export-queue-poison",
+      "connection": "AzureWebJobsStorage"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py
index 125bdf6a4c5..59a4a851be5 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py	
@@ -6,37 +6,37 @@
 
 import azure.functions as func
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 vuln_table_name = ExportsTableNames.TenableVulnExportTable.value
 
 
 def main(msg: func.QueueMessage) -> None:
-    logging.info('Python queue trigger vuln failure function processed a queue item: %s',
-                 msg.get_body().decode('utf-8'))
-    decoded_message = msg.get_body().decode('utf-8')
+    logging.info("Python queue trigger vuln failure function processed a queue item: %s",
+                 msg.get_body().decode("utf-8"))
+    decoded_message = msg.get_body().decode("utf-8")
 
     try:
         export_job_details = json.loads(decoded_message)
-        export_job_id = export_job_details['exportJobId'] if 'exportJobId' in export_job_details else ''
-        chunk_id = export_job_details['chunkId'] if 'chunkId' in export_job_details else ''
+        export_job_id = export_job_details["exportJobId"] if "exportJobId" in export_job_details else ""
+        chunk_id = export_job_details["chunkId"] if "chunkId" in export_job_details else ""
 
-        if export_job_id == '' or chunk_id == '':
-            logging.warn('missing information to process a chunk')
-            logging.warn(f'message sent - {decoded_message}')
-            logging.warn(
-                f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}')
-            logging.warn('Removing from vuln poison queue')
+        if export_job_id == "" or chunk_id == "":
+            logging.warning("missing information to process a chunk")
+            logging.warning(f"message sent - {decoded_message}")
+            logging.warning(
+                f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}")
+            logging.warning("Removing from vuln poison queue")
             return
 
         vuln_table = ExportsTableStore(
             connection_string, vuln_table_name)
         if vuln_table.get(export_job_id, chunk_id) is not None:
             vuln_table.merge(export_job_id, str(chunk_id), {
-                'jobStatus': TenableStatus.failed.value
+                "jobStatus": TenableStatus.failed.value
             })
         return
     except Exception as e:
-        logging.warn('Could not process job or chunk')
-        logging.warn(f'Raised this exception {e}')
-        logging.warn('Removing from vuln poison queue')
+        logging.warning("Could not process job or chunk")
+        logging.warning(f"Raised this exception {e}")
+        logging.warning("Removing from vuln poison queue")
         return
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py
index 798de698902..aa3d1d1f280 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py	
@@ -8,81 +8,97 @@
 from ..azure_sentinel import AzureSentinel
 from tenable.errors import APIError
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 vuln_table_name = ExportsTableNames.TenableVulnExportTable.value
-workspace_id = os.environ['WorkspaceID']
-workspace_key = os.environ['WorkspaceKey']
-log_analytics_uri = os.getenv('LogAnalyticsUri', '')
-log_type = 'Tenable_VM_Vuln_CL'
+checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value
+workspace_id = os.environ["WorkspaceID"]
+workspace_key = os.environ["WorkspaceKey"]
+log_analytics_uri = os.getenv("LogAnalyticsUri", "")
+log_type = "Tenable_VM_Vuln_CL"
 
 logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy")
 logger.setLevel(logging.WARNING)
 
 
 def main(msg: func.QueueMessage) -> None:
-    logging.info('Python queue trigger function processed a queue item: %s',
-                 msg.get_body().decode('utf-8'))
-    decoded_message = msg.get_body().decode('utf-8')
+    logging.info("Python queue trigger function processed a queue item: %s",
+                 msg.get_body().decode("utf-8"))
+    decoded_message = msg.get_body().decode("utf-8")
     vuln_table = ExportsTableStore(
         connection_string, vuln_table_name)
 
     try:
         export_job_details = json.loads(decoded_message)
-        export_job_id = export_job_details.get('exportJobId', '')
-        chunk_id = export_job_details.get('chunkId', '')
+        export_job_id = export_job_details.get("exportJobId", "")
+        chunk_id = export_job_details.get("chunkId", "")
+        start_time = export_job_details.get("startTime", 0)
+        update_checkpoint = export_job_details.get("updateCheckpoint", False)
 
-        if export_job_id == '' or chunk_id == '':
-            logging.warn('missing information to process a chunk')
-            logging.warn(f'message sent - {decoded_message}')
+        if export_job_id == "" or chunk_id == "":
+            logging.warning("missing information to process a chunk")
+            logging.warning(f"message sent - {decoded_message}")
             raise Exception(
-                f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}')
+                f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}")
         else:
             logging.info(
-                'using pyTenable client to download asset export job chunk')
+                "using pyTenable client to download vulnerability export job chunk")
             logging.info(
-                f'downloading chunk at vulns/{export_job_id}/chunks/{chunk_id}')
+                f"downloading chunk at vulns/{export_job_id}/chunks/{chunk_id}")
             tio = TenableIO()
             try:
-                chunk = tio.exports.chunk('vulns', export_job_id, chunk_id)
+                chunk = tio.exports.chunk("vulns", export_job_id, chunk_id)
                 logging.info(
-                    f'received a response from vulns/{export_job_id}/chunks/{chunk_id}')
+                    f"received a response from vulns/{export_job_id}/chunks/{chunk_id}")
 
-                # limiting individual chunk uploaded to sentinel to be < 30 MB size.
-                sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk)
+                if len(chunk) == 0:
+                    logging.info("No data found in chunk, chunk_id: {}, job_id: {}".format(chunk_id, export_job_id))
+                else:
+                    # limiting individual chunk uploaded to sentinel to be < 30 MB size.
+                    sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk)
 
-                for sub_chunk in sub_chunks:
-                    serialized_sub_chunk = json.dumps(sub_chunk)
+                    for sub_chunk in sub_chunks:
+                        serialized_sub_chunk = json.dumps(sub_chunk)
 
-                    logging.info('Uploading sub-chunk with size: %d', len(serialized_sub_chunk))
+                        logging.info("Uploading sub-chunk with size: %d", len(serialized_sub_chunk))
 
-                    # Send to Azure Sentinel here
-                    az_sentinel = AzureSentinel(
-                        workspace_id, workspace_key, log_type, log_analytics_uri)
+                        # Send to Azure Sentinel here
+                        az_sentinel = AzureSentinel(
+                            workspace_id, workspace_key, log_type, log_analytics_uri)
 
-                    az_code = az_sentinel.post_data(serialized_sub_chunk)
+                        az_code = az_sentinel.post_data(serialized_sub_chunk)
 
-                    logging.warning(
-                        f'Azure Sentinel reports the following status code: {az_code}')
+                        logging.warning(
+                            f"Azure Sentinel reports the following status code: {az_code}")
 
                 vuln_table.update_if_found(export_job_id, str(chunk_id), {
-                    'jobStatus': TenableStatus.finished.value
+                    "jobStatus": TenableStatus.finished.value
                 })
+                if update_checkpoint:
+                    logging.info(
+                        "Updating Vulns checkpoint to value: {}".format(start_time)
+                    )
+                    checkpoint_table = ExportsTableStore(
+                        connection_string, checkpoint_table_name
+                    )
+                    checkpoint_table.merge(
+                        "vulns", "timestamp", {"vulns_timestamp": start_time}
+                    )
             except APIError as e:
-                logging.warn(
-                    f'Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}')
+                logging.warning(
+                    f"Failure to retrieve vulnerability data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}")
                 vuln_table.update_if_found(export_job_id, str(chunk_id), {
-                    'jobStatus': TenableStatus.failed.value,
-                    'tenableFailedRequestId': e.uuid,
-                    'tenableFailedRequestStatusCode': e.code
+                    "jobStatus": TenableStatus.failed.value,
+                    "tenableFailedRequestId": e.uuid,
+                    "tenableFailedRequestStatusCode": e.code
                 })
                 raise Exception(
-                    f'Retrieving from Tenable failed with status code {e.code}')
+                    f"Retrieving from Tenable failed with status code {e.code}")
 
     except Exception as e:
         vuln_table.update_if_found(export_job_id, str(chunk_id), {
-            'jobStatus': TenableStatus.failed.value
+            "jobStatus": TenableStatus.failed.value
         })
-        logging.warn(
-            f'there was an error processing chunks. message sent - {decoded_message}')
-        logging.warn(e)
+        logging.warning(
+            f"there was an error processing chunks. message sent - {decoded_message}")
+        logging.warning(e)
         raise e
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py
index 0f317b1876c..a94cdc57de2 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py	
@@ -4,15 +4,15 @@
 
 
 def main(timestamp: int) -> object:
-    logging.info('using pyTenable client to create new asset export job')
+    logging.info("using pyTenable client to create new asset export job")
     tio = TenableIO()
     logging.info(
-        f'requesting a new Asset Export Job from Tenable')
+        "requesting a new Asset Export Job from Tenable for timestamp={}".format(timestamp))
     # limiting chunk size to contain 100 assets details. For some bigger
     # containers, each chunk is reported to be some hundreds of MBs resulting
     # into azure function crash due to OOM errors.
     job_id = tio.exports.assets(updated_at=timestamp, chunk_size=100)
 
-    logging.info(f'received a response from Asset Export Job request')
+    logging.info(f"received a response from Asset Export Job request")
     logging.info(job_id)
     return job_id
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py
new file mode 100644
index 00000000000..f51c462b350
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py	
@@ -0,0 +1,38 @@
+"""Activity function to start a new compliance export job."""
+
+import logging
+
+from ..tenable_helper import TenableIO
+
+
+def main(timestamp: int) -> object:
+    """
+    Create a new compliance export job using the pyTenable client.
+
+    Args:
+    timestamp (int): The timestamp to filter compliance details.
+
+    Returns:
+    object: The job ID of the created compliance export job as a string.
+    """
+    logging.info("using pyTenable client to create new compliance export job")
+    tio = TenableIO()
+    logging.info("requesting a new Compliance Export Job from Tenable")
+    # limiting chunk size to contain 100 compliance details. For some bigger
+    # containers, each chunk is reported to be some hundreds of MBs resulting
+    # into azure function crash due to OOM errors.
+    if timestamp == 0:
+        logging.info("Timestamp is 0. Fetching all compliance details")
+        job_id = tio.exports.compliance(use_iterator=False, num_findings=100)
+    else:
+        logging.info("Fetching compliance details for timestamp: {}".format(timestamp))
+        job_id = tio.exports.compliance(
+            use_iterator=False, num_findings=100, indexed_at=timestamp
+        )
+
+    logging.info(
+        "received a response from Compliance Export Job request. job_id = {}".format(
+            job_id
+        )
+    )
+    return str(job_id)
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json
new file mode 100644
index 00000000000..706dc18487a
--- /dev/null
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json	
@@ -0,0 +1,10 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "name": "timestamp",
+      "type": "activityTrigger",
+      "direction": "in"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py
index 4b42253da35..e819b12c89b 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py	
@@ -1,18 +1,44 @@
 import logging
+import os
 
 from ..tenable_helper import TenableIO
 
+severity = os.environ.get("LowestSeveritytoStore", "")
+SEVERITIES = ["info", "low", "medium", "high", "critical"]
+
 
 def main(timestamp: int) -> object:
-    logging.info('using pyTenable client to create new vuln export job')
+    logging.info("using pyTenable client to create new vuln export job")
     tio = TenableIO()
-    logging.info(
-        f'requesting a new Vuln Export Job from Tenable')
-    # limiting number of assets to 50. For some bigger containers, 
+    logging.info("requesting a new Vuln Export Job from Tenable for timestamp: {}".format(timestamp))
+    # limiting number of assets to 50. For some bigger containers,
     # each chunk is reported to be some hundreds of MBs resulting
     # into azure function crash due to OOM errors.
-    job_id = tio.exports.vulns(last_found=timestamp, num_assets=50)
+    if severity and severity.lower() in SEVERITIES:
+        logging.info("Selected lowest severity: {}".format(severity))
+        logging.info(
+            "Fetching vulnerability Data for severity: {}".format(
+                SEVERITIES[SEVERITIES.index(severity.lower()):]
+            )
+        )
+        job_id = tio.exports.vulns(
+            last_found=timestamp,
+            num_assets=50,
+            severity=SEVERITIES[SEVERITIES.index(severity.lower()):],
+        )
+    else:
+        logging.warning(
+            "Either 'Lowest Severity to Store' parameter is not set or value is not from allowed values"
+            "(info,low,medium,high,critical)."
+        )
+        logging.info(
+            "Fetching vulnerability Data for severity {} considering default Info as lowest severity value.".format(
+                SEVERITIES
+            )
+        )
+        job_id = tio.exports.vulns(
+            last_found=timestamp, num_assets=50, severity=SEVERITIES
+        )
 
-    logging.info(f'received a response from Vuln Export Job request')
-    logging.info(job_id)
+    logging.info(f"received a response from Vuln Export Job request{job_id}")
     return job_id
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json
index 7bd0917dc68..d3da7c12acb 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json	
@@ -2,7 +2,7 @@
 	"id": "TenableVM",
 	"title": "Tenable Vulnerability Management",
 	"publisher": "Tenable",
-	"descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
+	"descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
 	"additionalRequirementBanner": "These queries and workbooks are dependent on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on Kusto to work as expected which is deployed with the Microsoft Sentinel Solution.",
 	"graphQueries": [
 		{
@@ -14,6 +14,11 @@
 			"metricName": "Total data received",
 			"legend": "Tenable_VM_Vuln_CL",
 			"baseQuery": "Tenable_VM_Vuln_CL"
+		},
+		{
+			"metricName": "Total data received",
+			"legend": "Tenable_VM_Compliance_CL",
+			"baseQuery": "Tenable_VM_Compliance_CL"
 		}
 	],
 	"sampleQueries": [
@@ -25,6 +30,10 @@
 			"description": "Tenable VM Report - All Vulns",
 			"query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc"
 		},
+		{
+			"description": "Tenable VM Report - All Compliance",
+			"query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc"
+		},
 		{
 			"description": "Select unique vulnerabilities by a specific asset.",
 			"query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d"
@@ -42,6 +51,10 @@
 		{
 			"name": "Tenable_VM_Vuln_CL",
 			"lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+		},
+		{
+			"name": "Tenable_VM_Compliance_CL",
+			"lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
 		}
 	],
 	"connectivityCriterias": [
@@ -56,6 +69,12 @@
 			"value": [
 				"Tenable_VM_Vuln_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
 			]
+		},
+		{
+			"type": "IsConnectedQuery",
+			"value": [
+				"Tenable_VM_Compliance_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+			]
 		}
 	],
 	"availability": {
@@ -99,7 +118,7 @@
 	"instructionSteps": [
 		{
 			"title": "",
-			"description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+			"description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
 		},
 		{
 			"title": "",
@@ -110,7 +129,7 @@
 		},
 		{
 			"title": "",
-			"description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
+			"description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
 		},
 		{
 			"title": "",
@@ -138,7 +157,7 @@
 		},
 		{
 			"title": "Option 1 - Azure Resource Manager (ARM) Template",
-			"description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+			"description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy."
 		},
 		{
 			"title": "Option 2 - Manual Deployment of Azure Functions",
@@ -150,7 +169,7 @@
 		},
 		{
 			"title": "",
-			"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
+			"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
 		}
 	],
 	"metadata": {
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip
new file mode 100644
index 00000000000..15329b27403
Binary files /dev/null and b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip differ
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py
index 89fea175b8c..9f83bfd31d5 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py	
@@ -1,3 +1,4 @@
+import json
 import os
 import logging
 from datetime import timedelta
@@ -6,77 +7,79 @@
 import azure.functions as func
 import azure.durable_functions as df
 
-vuln_status_and_chunk = 'TenableVulnExportStatusAndSendChunks'
-export_poll_schedule_minutes = int(os.getenv('TenableExportPollScheduleInMinutes', '1'))
+vuln_status_and_chunk = "TenableVulnExportStatusAndSendChunks"
+export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1"))
 
 
 def orchestrator_function(context: df.DurableOrchestrationContext):
-    logging.info('started vuln export orchestrator')
+    logging.info("started vuln export orchestrator")
     job_details = context.get_input()
-    logging.info('loaded job details from orchestrator:')
+    logging.info("loaded job details from orchestrator:")
     logging.info(job_details)
 
-    vuln_job_id = job_details['vulnJobId'] if 'vulnJobId' in job_details else ''
-    if vuln_job_id == '':
+    vuln_job_id = job_details["vulnJobId"] if "vulnJobId" in job_details else ""
+    if vuln_job_id == "":
         return {
-            'status': TenableStatus.no_job.value,
-            'id': '',
-            'chunks': [],
-            'vulnInstanceId': context.instance_id,
-            'type': TenableExportType.vuln.value
+            "status": TenableStatus.no_job.value,
+            "id": "",
+            "chunks": [],
+            "vulnInstanceId": context.instance_id,
+            "type": TenableExportType.vuln.value
         }
 
     chunks = []
-    logging.info(f'checking status of job {vuln_job_id}, outside while loop')
-    job_status = yield context.call_activity(vuln_status_and_chunk, vuln_job_id)
+    logging.info(f"checking status of job {vuln_job_id}, outside while loop")
+    start_time = job_details.get("start_time", 0)
+    str_activity_data = json.dumps({"vuln_job_id": vuln_job_id, "start_time": start_time})
+    job_status = yield context.call_activity(vuln_status_and_chunk, str_activity_data)
 
-    logging.info(f'{vuln_job_id} is currently in this state:')
+    logging.info(f"{vuln_job_id} is currently in this state:")
     logging.info(job_status)
-    logging.info(job_status['status'])
+    logging.info(job_status["status"])
 
-    tio_status = ['ERROR', 'CANCELLED', 'FINISHED']
-    while not 'status' in job_status or not (job_status['status'] in tio_status):
-        job_status = yield context.call_activity(vuln_status_and_chunk, vuln_job_id)
+    tio_status = ["ERROR", "CANCELLED", "FINISHED"]
+    while not "status" in job_status or not (job_status["status"] in tio_status):
+        job_status = yield context.call_activity(vuln_status_and_chunk, str_activity_data)
         logging.info(
-            f'Checking {vuln_job_id} after waking up again, inside while loop:')
+            f"Checking {vuln_job_id} after waking up again, inside while loop:")
         logging.info(job_status)
-        logging.info(job_status['status'])
+        logging.info(job_status["status"])
 
-        if 'status' in job_status and job_status['status'] == 'FINISHED':
-            logging.info('job is completely finished!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        if "status" in job_status and job_status["status"] == "FINISHED":
+            logging.info("job is completely finished!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
-        elif 'status' in job_status and job_status['status'] == 'ERROR':
-            logging.info('job is completed with Error status!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        elif "status" in job_status and job_status["status"] == "ERROR":
+            logging.info("job is completed with Error status!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
-        elif 'status' in job_status and job_status['status'] == 'CANCELLED':
-            logging.info('job is completed with Cancelled status!')
-            chunks = job_status['chunks_available']
-            logging.info(f'Found these chunks: {chunks}')
+        elif "status" in job_status and job_status["status"] == "CANCELLED":
+            logging.info("job is completed with Cancelled status!")
+            chunks = job_status["chunks_available"]
+            logging.info(f"Found these chunks: {chunks}")
             break
         else:
-            logging.info('not quite ready, going to sleep...')
+            logging.info("not quite ready, going to sleep...")
             next_check = context.current_utc_datetime + timedelta(minutes=export_poll_schedule_minutes)
             yield context.create_timer(next_check)
 
     logging.info(
-        f'all chunks have been sent to process! {vuln_job_id} finally COMPLETED')
-    logging.info('Checking that chunks exist...')
-    logging.info(f'Number of chunks: {len(chunks)}')
+        f"all chunks have been sent to process! {vuln_job_id} finally COMPLETED")
+    logging.info("Checking that chunks exist...")
+    logging.info(f"Number of chunks: {len(chunks)}")
 
     tenable_status = TenableStatus.finished.value
-    if 'status' in job_status and (job_status['status'] == 'CANCELLED' or job_status['status'] == 'ERROR'):
+    if "status" in job_status and (job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR"):
         tenable_status = TenableStatus.failed.value
 
     return {
-        'status': tenable_status,
-        'id': vuln_job_id,
-        'chunks': chunks,
-        'vulnInstanceId': context.instance_id,
-        'type': TenableExportType.vuln.value
+        "status": tenable_status,
+        "id": vuln_job_id,
+        "chunks": chunks,
+        "vulnInstanceId": context.instance_id,
+        "type": TenableExportType.vuln.value
     }
 
 
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py
index b3e8c7eff19..43c5260e582 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py	
@@ -1,84 +1,95 @@
+import json
 import logging
 import os
 
 from ..exports_queue import ExportsQueue, ExportsQueueNames
 from ..exports_store import ExportsTableStore, ExportsTableNames
-from ..tenable_helper import TenableIO, TenableStatus, TenableExportType
+from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk
 
 # from tenable.io import TenableIO
 
-connection_string = os.environ['AzureWebJobsStorage']
+connection_string = os.environ["AzureWebJobsStorage"]
 vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value
 vuln_queue_name = ExportsQueueNames.TenableVulnExportsQueue.value
 
 
 def send_chunks_to_queue(exportJobDetails):
-    logging.info(f'Sending chunk to queue.')
-    chunks = exportJobDetails.get('chunks_available', [])
-    exportJobId = exportJobDetails.get('exportJobId', '')
+    logging.info(f"Sending chunk to queue.")
+    chunks = exportJobDetails.get("chunks_available", [])
+    exportJobId = exportJobDetails.get("exportJobId", "")
+    start_time = exportJobDetails.get("start_time", 0)
+    job_status = exportJobDetails.get("status", "")
 
     if len(chunks) > 0:
         vuln_table = ExportsTableStore(
             connection_string, vuln_export_table_name)
+        update_checkpoint = False
         for chunk in chunks:
+            update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status)
             chunk_dtls = vuln_table.get(exportJobId, str(chunk))
             if chunk_dtls:
-                current_chunk_status = chunk_dtls['jobStatus']
+                current_chunk_status = chunk_dtls["jobStatus"]
                 if (
                         current_chunk_status == TenableStatus.sent_to_queue.value or
                         current_chunk_status == TenableStatus.finished.value
                 ):
                     logging.warning(
-                        f'Avoiding vuln chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}')
+                        f"Avoiding vuln chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}")
                     continue
 
             vuln_table.post(exportJobId, str(chunk), {
-                'jobStatus': TenableStatus.sending_to_queue.value,
-                'jobType': TenableExportType.vuln.value
+                "jobStatus": TenableStatus.sending_to_queue.value,
+                "jobType": TenableExportType.vuln.value
             })
 
             vuln_queue = ExportsQueue(connection_string, vuln_queue_name)
 
             try:
-                sent = vuln_queue.send_chunk_info(exportJobId, chunk)
-                logging.warn(f'chunk queued -- {exportJobId} {chunk}')
-                logging.warn(sent)
+                sent = vuln_queue.send_chunk_info(
+                    exportJobId, chunk, start_time, update_checkpoint
+                )
+                logging.warning(f"chunk queued -- {exportJobId} {chunk}")
+                logging.warning(sent)
                 vuln_table.merge(exportJobId, str(chunk), {
-                    'jobStatus': TenableStatus.sent_to_queue.value
+                    "jobStatus": TenableStatus.sent_to_queue.value
                 })
             except Exception as e:
-                logging.warn(
-                    f'Failed to send {exportJobId} - {chunk} to be processed')
-                logging.warn(e)
+                logging.warning(
+                    f"Failed to send {exportJobId} - {chunk} to be processed")
+                logging.warning(e)
 
                 vuln_table.merge(exportJobId, str(chunk), {
-                    'jobStatus': TenableStatus.sent_to_queue_failed.value,
-                    'jobType': TenableExportType.asset.value
+                    "jobStatus": TenableStatus.sent_to_queue_failed.value,
+                    "jobType": TenableExportType.vuln.value
                 })
     else:
-        logging.info('no chunk found to process.')
+        logging.info("no chunk found to process.")
         return
 
 
-def main(exportJobId: str) -> object:
-    logging.info('using pyTenable client to check asset export job status')
+def main(exportJob: str) -> object:
+    jsonExportObject = json.loads(exportJob)
+    exportJobId = jsonExportObject.get("vuln_job_id", "")
+    start_time = jsonExportObject.get("start_time", 0)
+    logging.info("using pyTenable client to check vulnerability export job status")
     logging.info(
-        f'checking status at vulns/{exportJobId}/status')
+        f"checking status at vulns/{exportJobId}/status")
     tio = TenableIO()
-    job_details = tio.exports.status('vulns', exportJobId)
-    # r = tio.get(f'{get_vuln_export_url()}/{exportJobId}/status')
+    job_details = tio.exports.status("vulns", exportJobId)
+    # r = tio.get(f"{get_vuln_export_url()}/{exportJobId}/status")
     logging.info(
-        f'received a response from vulns/{exportJobId}/status')
+        f"received a response from vulns/{exportJobId}/status")
     logging.info(job_details)
 
-    tio_status = ['ERROR', 'CANCELLED']
-    if job_details['status'] not in tio_status:
+    tio_status = ["ERROR", "CANCELLED"]
+    if job_details["status"] not in tio_status:
         try:
-            job_details['exportJobId'] = exportJobId
+            job_details["exportJobId"] = exportJobId
+            job_details["start_time"] = start_time
             send_chunks_to_queue(job_details)
         except Exception as e:
-            logging.warn('error while sending chunks to queue')
-            logging.warn(job_details)
-            logging.warn(e)
+            logging.warning("error while sending chunks to queue")
+            logging.warning(job_details)
+            logging.warning(e)
 
     return job_details
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json
index 89e7dd83296..6116f03f684 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json	
@@ -2,7 +2,7 @@
   "scriptFile": "__init__.py",
   "bindings": [
     {
-      "name": "exportJobId",
+      "name": "exportJob",
       "type": "activityTrigger",
       "direction": "in"
     }
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py b/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py
index 60e53510234..a63dc06c350 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py	
@@ -9,12 +9,12 @@
 
 class AzureSentinel:
 
-    def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=''):
+    def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=""):
         self._workspace_id = workspace_id
         self._workspace_key = workspace_key
         self._log_type = log_type
-        if ((log_analytics_url in (None, '') or str(log_analytics_url).isspace())):
-            log_analytics_url = 'https://' + self._workspace_id + '.ods.opinsights.azure.com'
+        if ((log_analytics_url in (None, "") or str(log_analytics_url).isspace())):
+            log_analytics_url = "https://" + self._workspace_id + ".ods.opinsights.azure.com"
 
         pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
         if not re.match(pattern, str(log_analytics_url)):
@@ -22,7 +22,7 @@ def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=''):
         self._log_analytics_url = log_analytics_url
 
     def build_signature(self, date, content_length, method, content_type, resource):
-        x_headers = 'x-ms-date:' + date
+        x_headers = "x-ms-date:" + date
         string_to_hash = method + "\n" + \
             str(content_length) + "\n" + content_type + \
             "\n" + x_headers + "\n" + resource
@@ -35,30 +35,30 @@ def build_signature(self, date, content_length, method, content_type, resource):
         return authorization
 
     def post_data(self, body):
-        logging.info('constructing post to send to Azure Sentinel.')
-        method = 'POST'
-        content_type = 'application/json'
-        resource = '/api/logs'
-        rfc1123date = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
+        logging.info("constructing post to send to Azure Sentinel.")
+        method = "POST"
+        content_type = "application/json"
+        resource = "/api/logs"
+        rfc1123date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")
         content_length = len(body)
-        logging.info('build signature.')
+        logging.info("build signature.")
         signature = self.build_signature(
             rfc1123date, content_length, method, content_type, resource)
-        logging.info('signature built.')
-        uri = self._log_analytics_url + resource + '?api-version=2016-04-01'
+        logging.info("signature built.")
+        uri = self._log_analytics_url + resource + "?api-version=2016-04-01"
         headers = {
-            'content-type': content_type,
-            'Authorization': signature,
-            'Log-Type': self._log_type,
-            'x-ms-date': rfc1123date
+            "content-type": content_type,
+            "Authorization": signature,
+            "Log-Type": self._log_type,
+            "x-ms-date": rfc1123date
         }
-        logging.info('sending post to Azure Sentinel.')
+        logging.info("sending post to Azure Sentinel.")
         response = requests.post(uri, data=body, headers=headers)
         logging.info(response.status_code)
         if (response.status_code >= 200 and response.status_code <= 299):
             return response.status_code
         else:
-            logging.warn("Events are not processed into Azure. Response code: {}".format(
+            logging.warning("Events are not processed into Azure. Response code: {}".format(
                 response.status_code))
             raise Exception(
-                        f'Sending to Azure Sentinel failed with status code {response.status_code}')
+                f"Sending to Azure Sentinel failed with status code {response.status_code}")
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json b/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json
index af6d0f29b82..fda4a393f16 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json	
@@ -8,22 +8,56 @@
             "maxLength": 11,
             "type": "string"
         },
-        "workspaceID": {
-            "type": "securestring"
+        "WorkspaceID": {
+            "type": "string",
+            "metadata": {
+                "description": "Enter Workspace ID of log analytics Workspace"
+            }
         },
-        "workspaceKey": {
-            "type": "securestring"
+        "WorkspaceKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "Enter Primary Key of log analytics Workspace"
+            }
         },
-        "tenableAccessKey": {
+        "TenableAccessKey": {
             "type": "securestring",
             "metadata": {
-                "description": "An access key for using the Tenable API (required)"
+                "description": "Enter Access key for using the Tenable API"
             }
         },
-        "tenableSecretKey": {
-            "type": "securestring"
+        "TenableSecretKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "Enter Tenable Secret Key for Authentication"
+            }
         },
-        "tenableExportScheduleInMinutes": {
+        "Lowest Severity to Store": {
+            "defaultValue": "Info",
+            "allowedValues": [
+                "Critical",
+                "High",
+                "Medium",
+                "Low",
+                "Info"
+            ],
+			"metadata": {
+                "description": "The Lowest Vulnerability severity to store."
+            },
+            "type": "string"
+        },
+        "ComplianceDataIngestion": {
+            "type": "bool",
+            "defaultValue": false,
+            "metadata": {
+                "description": "Select true if you want to enable compliance data ingestion from Tenable VM. Default is false."
+            },
+            "allowedValues": [
+                true,
+                false
+            ]
+        },
+        "TenableExportScheduleInMinutes": {
             "type": "int",
             "defaultValue": 1440
         },
@@ -82,7 +116,8 @@
                         }
                     },
                     "keySource": "Microsoft.Storage"
-                }
+                },
+                 "minimumTlsVersion": "TLS1_2"
             }
         },
         {
@@ -162,16 +197,18 @@
                         "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
                         "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
                         "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('functionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
-                        "WorkspaceID": "[parameters('workspaceID')]",
-                        "WorkspaceKey": "[parameters('workspaceKey')]",
-                        "TIO_SECRET_KEY": "[parameters('tenableSecretKey')]",
-                        "TIO_ACCESS_KEY": "[parameters('tenableAccessKey')]",
-                        "TenableExportScheduleInMinutes": "[parameters('tenableExportScheduleInMinutes')]",
+                        "WorkspaceID": "[parameters('WorkspaceID')]",
+                        "WorkspaceKey": "[parameters('WorkspaceKey')]",
+                        "TIO_SECRET_KEY": "[parameters('TenableSecretKey')]",
+                        "TIO_ACCESS_KEY": "[parameters('TenableAccessKey')]",
+                        "LowestSeveritytoStore": "[parameters('Lowest Severity to Store')]",
+                        "ComplianceDataIngestion": "[parameters('ComplianceDataIngestion')]",
+                        "TenableExportScheduleInMinutes": "[parameters('TenableExportScheduleInMinutes')]",
                         "PyTenableUAVendor": "Microsoft",
                         "PyTenableUAProduct": "Azure Sentinel",
                         "PyTenableUABuild": "0.0.1",
                         "logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
-                        "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp"
+                        "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-TenableVMAzureSentinelConnector310-functionapp"
                     }
                 }
             ]
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py b/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py
index 3bda7282ea7..cb5eb77de18 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py	
@@ -18,17 +18,19 @@ def create(self):
             try:
                 queue_client.create_queue()
             except ResourceExistsError:
-                logging.warn(f'Queue {self.queue_name} already exists')
+                logging.warning(f"Queue {self.queue_name} already exists")
 
-    def send_chunk_info(self, export_job_id, chunk_id):
+    def send_chunk_info(self, export_job_id, chunk_id, start_time, update_checkpoint=False):
         with QueueClient.from_connection_string(self.connection_string, self.queue_name,
                                                 message_encode_policy=BinaryBase64EncodePolicy(),
                                                 message_decode_policy=BinaryBase64DecodePolicy()) as queue_client:
-            chunk_info = {'exportJobId': export_job_id, 'chunkId': chunk_id}
-            return queue_client.send_message(json.dumps(chunk_info).encode('utf-8'))
+            chunk_info = {"exportJobId": export_job_id, "chunkId": chunk_id, "startTime": start_time, "updateCheckpoint": update_checkpoint}
+            return queue_client.send_message(json.dumps(chunk_info).encode("utf-8"))
 
 class ExportsQueueNames(Enum):
-    TenableAssetExportsQueue = 'tenable-asset-export-queue'
-    TenableVulnExportsQueue = 'tenable-vuln-export-queue'
-    TenableAssetExportsPoisonQueue = 'tenable-asset-export-queue-poison'
-    TenableVulnExportsPoisonQueue = 'tenable-vuln-export-queue-poison'
+    TenableAssetExportsQueue = "tenable-asset-export-queue"
+    TenableVulnExportsQueue = "tenable-vuln-export-queue"
+    TenableComplianceExportsQueue = "tenable-compliance-export-queue"
+    TenableAssetExportsPoisonQueue = "tenable-asset-export-queue-poison"
+    TenableVulnExportsPoisonQueue = "tenable-vuln-export-queue-poison"
+    TenableComplianceExportsPoisonQueue = "tenable-compliance-export-queue-poison"
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py b/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py
index fc02bea7ab8..e4a1624682e 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py	
@@ -17,38 +17,38 @@ def create(self):
             try:
                 table_client.create_table()
             except ResourceExistsError:
-                logging.warn("Table already exists")
+                logging.warning("Table already exists")
 
     def post(self, pk: str, rk: str, data: dict = None):
         with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
             entity_template = {
-                'PartitionKey': pk,
-                'RowKey': rk,
+                "PartitionKey": pk,
+                "RowKey": rk,
             }
             if data is not None:
                 entity_template.update(data)
             try:
                 table_client.create_entity(entity_template)
             except Exception as e:
-                logging.warn('could not post entity to table')
-                logging.warn(e)
+                logging.warning("could not post entity to table")
+                logging.warning(e)
                 raise e
 
     def get(self, pk: str, rk: str):
         with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
             try:
                 logging.info(
-                    f'looking for {pk} - {rk} on table {self.table_name}')
+                    f"looking for {pk} - {rk} on table {self.table_name}")
                 return table_client.get_entity(pk, rk)
             except ResourceNotFoundError:
                 return None
 
     def upsert(self, pk: str, rk: str, data: dict = None):
         with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
-            logging.info(f'upserting {pk} - {rk} on table {self.table_name}')
+            logging.info(f"upserting {pk} - {rk} on table {self.table_name}")
             entity_template = {
-                'PartitionKey': pk,
-                'RowKey': rk,
+                "PartitionKey": pk,
+                "RowKey": rk,
             }
             if data is not None:
                 entity_template.update(data)
@@ -72,8 +72,8 @@ def query_by_partition_key(self, pk):
     def query_for_finished_chunks_by_partition_key(self, pk):
         table_client = TableClient.from_connection_string(
             self.connection_string, self.table_name)
-        parameters = {'key': pk, 'status': TenableStatus.finished.value}
-        name_filter = 'PartitionKey eq @key and jobStatus eq @status'
+        parameters = {"key": pk, "status": TenableStatus.finished.value}
+        name_filter = "PartitionKey eq @key and jobStatus eq @status"
         try:
             return table_client.query_entities(name_filter, parameters=parameters)
         except HttpResponseError as e:
@@ -83,8 +83,8 @@ def query_for_finished_chunks_by_partition_key(self, pk):
     def query_for_all_finished_chunks(self):
         table_client = TableClient.from_connection_string(
             self.connection_string, self.table_name)
-        parameters = {'status': TenableStatus.finished.value}
-        name_filter = 'jobStatus eq @status'
+        parameters = {"status": TenableStatus.finished.value}
+        name_filter = "jobStatus eq @status"
         try:
             return table_client.query_entities(name_filter, parameters=parameters)
         except HttpResponseError as e:
@@ -94,8 +94,8 @@ def query_for_all_finished_chunks(self):
     def query_for_failed_chunks_by_partition_key(self, pk):
         table_client = TableClient.from_connection_string(
             self.connection_string, self.table_name)
-        parameters = {'key': pk, 'status': TenableStatus.failed.value}
-        name_filter = 'PartitionKey eq @key and jobStatus eq @status'
+        parameters = {"key": pk, "status": TenableStatus.failed.value}
+        name_filter = "PartitionKey eq @key and jobStatus eq @status"
         try:
             return table_client.query_entities(name_filter, parameters=parameters)
         except HttpResponseError as e:
@@ -105,8 +105,8 @@ def query_for_failed_chunks_by_partition_key(self, pk):
     def query_for_all_failed_chunks(self):
         table_client = TableClient.from_connection_string(
             self.connection_string, self.table_name)
-        parameters = {'status': TenableStatus.failed.value}
-        name_filter = 'jobStatus eq @status'
+        parameters = {"status": TenableStatus.failed.value}
+        name_filter = "jobStatus eq @status"
         try:
             return table_client.query_entities(name_filter, parameters=parameters)
         except HttpResponseError as e:
@@ -117,12 +117,12 @@ def query_for_all_processing_chunks(self):
         table_client = TableClient.from_connection_string(
             self.connection_string, self.table_name)
         parameters = {
-            'failedStatus': TenableStatus.failed.value,
-            'processingStatus': TenableStatus.processing.value,
-            'sentStatus': TenableStatus.sent_to_queue.value,
-            'sendingStatus': TenableStatus.sending_to_queue.value
+            "failedStatus": TenableStatus.failed.value,
+            "processingStatus": TenableStatus.processing.value,
+            "sentStatus": TenableStatus.sent_to_queue.value,
+            "sendingStatus": TenableStatus.sending_to_queue.value
         }
-        name_filter = 'jobStatus eq @failedStatus or jobStatus eq @processingStatus or jobStatus eq @sentStatus or jobStatus eq @sendingStatus'
+        name_filter = "jobStatus eq @failedStatus or jobStatus eq @processingStatus or jobStatus eq @sentStatus or jobStatus eq @sendingStatus"
         try:
             return table_client.query_entities(name_filter, parameters=parameters)
         except HttpResponseError as e:
@@ -140,10 +140,10 @@ def list_all(self):
 
     def merge(self, pk: str, rk: str, data: dict = None):
         with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client:
-            logging.info(f'upserting {pk} - {rk} on table {self.table_name}')
+            logging.info(f"upserting {pk} - {rk} on table {self.table_name}")
             entity_template = {
-                'PartitionKey': pk,
-                'RowKey': rk,
+                "PartitionKey": pk,
+                "RowKey": rk,
             }
             if data is not None:
                 entity_template.update(data)
@@ -154,3 +154,6 @@ class ExportsTableNames(Enum):
     TenableExportStatsTable = "TenableExportStatsTable"
     TenableAssetExportTable = "TenableAssetExportTable"
     TenableVulnExportTable = "TenableVulnExportTable"
+    TenableComplianceExportTable = "TenableComplianceExportTable"
+    TenableExportCheckpointTable = "TenableExportCheckpointTable"
+
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/host.json b/Solutions/Tenable App/Data Connectors/TenableVM/host.json
index 519fe11b518..325b8148c54 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/host.json	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/host.json	
@@ -11,5 +11,16 @@
   "extensionBundle": {
     "id": "Microsoft.Azure.Functions.ExtensionBundle",
     "version": "[3.*, 4.0.0)"
+  },
+  "extensions": {
+    "durableTask": {
+      "storageProvider": {
+        "type": "AzureStorage"
+      }
+    }
+  },
+  "concurrency": {
+    "dynamicConcurrencyEnabled": true,
+    "snapshotPersistenceEnabled": true
   }
-}
+}
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt b/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt
index 7d796f89fed..b2bacd7b379 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt	
@@ -6,5 +6,5 @@ azure-data-tables==12.1.0
 azure-functions==1.7.2
 azure-functions-durable==1.0.3
 azure-storage-queue==12.4.0
-pyTenable==1.3.3
+pyTenable==1.5.3
 requests==2.32.2
\ No newline at end of file
diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py b/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py
index e885a554b18..08bcf382d79 100644
--- a/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py	
+++ b/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py	
@@ -3,7 +3,7 @@
 import json
 
 from tenable.io import TenableIO as BaseIO
-from tenable.io.exports import ExportsAPI
+from tenable.io.exports.api import ExportsAPI
 from enum import Enum
 from queue import Queue
 from typing import List, Dict
@@ -29,9 +29,9 @@ def chunk(self, export_type: str, uuid: str, chunk: int) -> list:
 
 class TenableIO(BaseIO):
     def __init__(self, **kwargs):
-        kwargs['vendor'] = os.getenv('PyTenableUAVendor', 'Microsoft')
-        kwargs['product'] = os.getenv('PyTenableUAProduct', 'Azure Sentinel')
-        kwargs['build'] = os.getenv('PyTenableUABuild', '0.0.1')
+        kwargs["vendor"] = os.getenv("PyTenableUAVendor", "Microsoft")
+        kwargs["product"] = os.getenv("PyTenableUAProduct", "Azure Sentinel")
+        kwargs["build"] = os.getenv("PyTenableUABuild", "0.0.1")
         super().__init__(**kwargs)
 
     @property
@@ -40,18 +40,20 @@ def exports(self):
 
 
 class TenableStatus(Enum):
-    finished = 'FINISHED'
-    failed = 'FAILED'
-    no_job = 'NO_JOB_FOUND'
-    processing = 'PROCESSING'
-    sending_to_queue = 'SENDING_TO_QUEUE'
-    sent_to_queue = 'SENT_TO_QUEUE'
-    sent_to_queue_failed = 'SENT_TO_QUEUE_FAILED'
-    sent_to_sub_orchestrator = 'SENT_TO_SUB_ORCHESTRATOR'
+    finished = "FINISHED"
+    failed = "FAILED"
+    no_job = "NO_JOB_FOUND"
+    processing = "PROCESSING"
+    sending_to_queue = "SENDING_TO_QUEUE"
+    sent_to_queue = "SENT_TO_QUEUE"
+    sent_to_queue_failed = "SENT_TO_QUEUE_FAILED"
+    sent_to_sub_orchestrator = "SENT_TO_SUB_ORCHESTRATOR"
+
 
 class TenableExportType(Enum):
-    asset = 'ASSET_EXPORT_JOB'
-    vuln = 'VULN_EXPORT_JOB'
+    asset = "ASSET_EXPORT_JOB"
+    vuln = "VULN_EXPORT_JOB"
+    compliance = "COMPLIANCE_EXPORT_JOB"
 
 
 class TenableChunkPartitioner:
@@ -62,7 +64,7 @@ class TenableChunkPartitioner:
 
     @staticmethod
     def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[Dict]]:
-        '''
+        """
         This method divides export chunks received from Tenable.io response, into multiple sub-chunks
         such that each sub-chunk is <= 30MB.
         
@@ -70,11 +72,11 @@ def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[D
         https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api#data-limits.
 
         Parameters:
-            inputChunk (List[Dict]): List containing vuln/assets objects in chunk.
+            inputChunk (List[Dict]): List containing vuln/assets/compliance objects in chunk.
 
         Returns:
             List[List[Dict]] -> List containing one or more sub-chunks created out of input chunk.
-        '''
+        """
         queue = Queue()
         output_sub_chunks = []
 
@@ -109,6 +111,25 @@ def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[D
 
                 logging.info('Re-enqueued 2 sub-chunks with elements: %d <-> %d', len(left_chunk), len(right_chunk))
 
-        logging.info('Created %d output sub-chunks.', len(output_sub_chunks))
+        logging.info("Created %d output sub-chunks.", len(output_sub_chunks))
 
         return output_sub_chunks
+
+
+def update_checkpoint_for_last_chunk(chunk, chunks, job_status):
+    """
+    Check for last chunk from list of chunks.
+
+    Args:
+        chunk (int): chunk id
+        chunks (list): List of chunk ids
+        job_status (str): status of the job
+
+    Returns:
+        bool: Returns True if last chunk is found, otherwise False
+    """
+    if chunk == chunks[-1] and job_status.upper() == "FINISHED":
+        logging.info("last chunk and job finished, set update checkpoint flag to true.")
+        return True
+    else:
+        return False
diff --git a/Solutions/Tenable App/Package/3.0.1.zip b/Solutions/Tenable App/Package/3.0.1.zip
index 2c352577d98..495b1215f99 100644
Binary files a/Solutions/Tenable App/Package/3.0.1.zip and b/Solutions/Tenable App/Package/3.0.1.zip differ
diff --git a/Solutions/Tenable App/Package/mainTemplate.json b/Solutions/Tenable App/Package/mainTemplate.json
index 6e72676c06c..911d6fe9b45 100644
--- a/Solutions/Tenable App/Package/mainTemplate.json	
+++ b/Solutions/Tenable App/Package/mainTemplate.json	
@@ -268,10 +268,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -282,7 +282,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -292,7 +291,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -375,10 +375,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -389,7 +389,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -399,7 +398,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -482,10 +482,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -499,7 +499,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -509,7 +508,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -592,10 +592,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -609,7 +609,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -619,7 +618,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -702,10 +702,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -716,7 +716,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -726,7 +725,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -809,10 +809,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -823,7 +823,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -833,7 +832,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -916,10 +916,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -933,7 +933,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -943,7 +942,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1026,10 +1026,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1040,7 +1040,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -1050,7 +1049,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1133,10 +1133,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1147,7 +1147,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -1157,7 +1156,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1240,10 +1240,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1257,7 +1257,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -1267,7 +1266,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1350,10 +1350,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1364,7 +1364,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -1374,7 +1373,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1457,10 +1457,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "TenableIE",
                     "dataTypes": [
                       "Tenable_IE_CL"
-                    ],
-                    "connectorId": "TenableIE"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1471,7 +1471,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "columnName": "HostName",
@@ -1481,7 +1480,8 @@
                         "columnName": "DnsDomain",
                         "identifier": "DnsDomain"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -1999,7 +1999,7 @@
                   "id": "[variables('_uiConfigId2')]",
                   "title": "Tenable Vulnerability Management (using Azure Functions)",
                   "publisher": "Tenable",
-                  "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
+                  "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
                   "additionalRequirementBanner": "These queries and workbooks are dependent on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on Kusto to work as expected which is deployed with the Microsoft Sentinel Solution.",
                   "graphQueries": [
                     {
@@ -2011,6 +2011,11 @@
                       "metricName": "Total data received",
                       "legend": "Tenable_VM_Vuln_CL",
                       "baseQuery": "Tenable_VM_Vuln_CL"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Tenable_VM_Compliance_CL",
+                      "baseQuery": "Tenable_VM_Compliance_CL"
                     }
                   ],
                   "sampleQueries": [
@@ -2022,6 +2027,10 @@
                       "description": "Tenable VM Report - All Vulns",
                       "query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc"
                     },
+                    {
+                      "description": "Tenable VM Report - All Compliance",
+                      "query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc"
+                    },
                     {
                       "description": "Select unique vulnerabilities by a specific asset.",
                       "query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d"
@@ -2039,6 +2048,10 @@
                     {
                       "name": "Tenable_VM_Vuln_CL",
                       "lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "Tenable_VM_Compliance_CL",
+                      "lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
                     }
                   ],
                   "connectivityCriterias": [
@@ -2053,6 +2066,12 @@
                       "value": [
                         "Tenable_VM_Vuln_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
                       ]
+                    },
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "Tenable_VM_Compliance_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
                     }
                   ],
                   "availability": {
@@ -2095,7 +2114,7 @@
                   },
                   "instructionSteps": [
                     {
-                      "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+                      "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
                     },
                     {
                       "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
@@ -2104,7 +2123,7 @@
                       "description": ">**NOTE:** This data connector depends on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution."
                     },
                     {
-                      "description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
+                      "description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
                     },
                     {
                       "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function App**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
@@ -2130,7 +2149,7 @@
                       ]
                     },
                     {
-                      "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
+                      "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy.",
                       "title": "Option 1 - Azure Resource Manager (ARM) Template"
                     },
                     {
@@ -2141,7 +2160,7 @@
                       "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. TenableVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
                     },
                     {
-                      "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
+                      "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
                     }
                   ],
                   "metadata": {
@@ -2243,7 +2262,7 @@
         "connectorUiConfig": {
           "title": "Tenable Vulnerability Management (using Azure Functions)",
           "publisher": "Tenable",
-          "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
+          "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more",
           "graphQueries": [
             {
               "metricName": "Total data received",
@@ -2254,6 +2273,11 @@
               "metricName": "Total data received",
               "legend": "Tenable_VM_Vuln_CL",
               "baseQuery": "Tenable_VM_Vuln_CL"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "Tenable_VM_Compliance_CL",
+              "baseQuery": "Tenable_VM_Compliance_CL"
             }
           ],
           "dataTypes": [
@@ -2264,6 +2288,10 @@
             {
               "name": "Tenable_VM_Vuln_CL",
               "lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "Tenable_VM_Compliance_CL",
+              "lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
             }
           ],
           "connectivityCriterias": [
@@ -2278,6 +2306,12 @@
               "value": [
                 "Tenable_VM_Vuln_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
               ]
+            },
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "Tenable_VM_Compliance_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+              ]
             }
           ],
           "sampleQueries": [
@@ -2289,6 +2323,10 @@
               "description": "Tenable VM Report - All Vulns",
               "query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc"
             },
+            {
+              "description": "Tenable VM Report - All Compliance",
+              "query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc"
+            },
             {
               "description": "Select unique vulnerabilities by a specific asset.",
               "query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d"
@@ -2338,7 +2376,7 @@
           },
           "instructionSteps": [
             {
-              "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+              "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
             },
             {
               "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
@@ -2347,7 +2385,7 @@
               "description": ">**NOTE:** This data connector depends on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution."
             },
             {
-              "description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
+              "description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n"
             },
             {
               "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function App**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
@@ -2373,7 +2411,7 @@
               ]
             },
             {
-              "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
+              "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy.",
               "title": "Option 1 - Azure Resource Manager (ARM) Template"
             },
             {
@@ -2384,7 +2422,7 @@
               "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. TenableVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
             },
             {
-              "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
+              "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<WorkspaceID>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
             }
           ],
           "id": "[variables('_uiConfigId2')]",
diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json
index 6d00d9bacac..e96be9db6e8 100644
--- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json	
+++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json	
@@ -47,7 +47,36 @@
                     "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'"
                 }
             ],
-            "sampleQueries": [],
+            "sampleQueries": [
+                {
+                    "description": "Get a sample of CarbonBlack Alert logs",
+                    "query": "CarbonBlack_Alerts_CL\n | take 10"
+                },
+                {
+                    "description": "Get a sample of CarbonBlack Watchlist logs",
+                    "query": "CarbonBlack_Watchlist_CL\n| take 10"
+                },
+                {
+                    "description": "Get a sample of Carbonblack ASimNetwork Session logs",
+                    "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                },
+                {
+                    "description": "Get a sample of CarbonBlack ASimProcess Event logs",
+                    "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                },
+                {
+                    "description": "Get a sample of CarbonBlack ASimFile Event logs",
+                    "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                },
+                {
+                    "description": "Get a sample of CarbonBlack ASimRegistry Event logs",
+                    "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                },
+                {
+                    "description": "Get a sample of CarbonBlack ASimAuthentication Event logs",
+                    "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                }
+            ],
             "dataTypes": [
                 {
                     "name": "CarbonBlack_Alerts_CL",
diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip
new file mode 100644
index 00000000000..59c736d9ee7
Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip differ
diff --git a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json
index 38af927a5a4..1a908fe95fb 100644
--- a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json	
+++ b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json	
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -225,4 +225,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json
index 4daff88ace3..9d8b76701b8 100644
--- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json	
+++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json	
@@ -55,7 +55,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "VMware Carbon Black Cloud",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack",
     "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
@@ -199,6 +199,36 @@
                       "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'"
                     }
                   ],
+                  "sampleQueries": [
+                    {
+                      "description": "Get a sample of CarbonBlack Alert logs",
+                      "query": "CarbonBlack_Alerts_CL\n | take 10"
+                    },
+                    {
+                      "description": "Get a sample of CarbonBlack Watchlist logs",
+                      "query": "CarbonBlack_Watchlist_CL\n| take 10"
+                    },
+                    {
+                      "description": "Get a sample of Carbonblack ASimNetwork Session logs",
+                      "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                    },
+                    {
+                      "description": "Get a sample of CarbonBlack ASimProcess Event logs",
+                      "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                    },
+                    {
+                      "description": "Get a sample of CarbonBlack ASimFile Event logs",
+                      "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                    },
+                    {
+                      "description": "Get a sample of CarbonBlack ASimRegistry Event logs",
+                      "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                    },
+                    {
+                      "description": "Get a sample of CarbonBlack ASimAuthentication Event logs",
+                      "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+                    }
+                  ],
                   "dataTypes": [
                     {
                       "name": "CarbonBlack_Alerts_CL",
@@ -2173,6 +2203,36 @@
               "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'"
             }
           ],
+          "sampleQueries": [
+            {
+              "description": "Get a sample of CarbonBlack Alert logs",
+              "query": "CarbonBlack_Alerts_CL\n | take 10"
+            },
+            {
+              "description": "Get a sample of CarbonBlack Watchlist logs",
+              "query": "CarbonBlack_Watchlist_CL\n| take 10"
+            },
+            {
+              "description": "Get a sample of Carbonblack ASimNetwork Session logs",
+              "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+            },
+            {
+              "description": "Get a sample of CarbonBlack ASimProcess Event logs",
+              "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+            },
+            {
+              "description": "Get a sample of CarbonBlack ASimFile Event logs",
+              "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+            },
+            {
+              "description": "Get a sample of CarbonBlack ASimRegistry Event logs",
+              "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+            },
+            {
+              "description": "Get a sample of CarbonBlack ASimAuthentication Event logs",
+              "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10"
+            }
+          ],
           "dataTypes": [
             {
               "name": "CarbonBlack_Alerts_CL",
@@ -2565,7 +2625,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "VMware Carbon Black Cloud data connector with template version 3.0.2",
+        "description": "VMware Carbon Black Cloud data connector with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion2')]",
@@ -2978,7 +3038,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3091,7 +3151,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3213,7 +3273,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "VMwareCarbonBlack Workbook with template version 3.0.2",
+        "description": "VMwareCarbonBlack Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -3309,7 +3369,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CarbonBlackConnector Playbook with template version 3.0.2",
+        "description": "CarbonBlackConnector Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -4975,7 +5035,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.2",
+        "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -6778,7 +6838,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.2",
+        "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -7521,7 +7581,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.2",
+        "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -7945,7 +8005,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "VMware Carbon Black Cloud",
diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md
index 016a1ec3595..b4bc33b9dd6 100644
--- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md	
+++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md	
@@ -1,4 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                        |
 |-------------|--------------------------------|-----------------------------------------------------------|
+| 3.0.3       | 28-10-2024                     | Added Sample Queries to the CCP **Data Connector** template   |
+| 3.0.2       | 15-10-2024                     | Added new CCP **Data Connector** to the Solution   |
 | 3.0.1       | 17-04-2024                     | Added Azure Deploy button for government portal deployments in **Data connectors**   |
-| 3.0.0       | 19-02-2024                     | Alterts API integration done in Carbon Black **Function App**   |
+| 3.0.0       | 19-02-2024                     | Alterts API integration done in Carbon Black **Function App**   |
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 44fdc2a3243..8da138881c4 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -175,8 +175,7 @@
             "CommonSecurityLog"
         ],
         "dataConnectorsDependencies": [
-            "PaloAltoNetworks",
-            "PaloAltoNetworksAma"
+            "CefAma"
         ],
         "previewImagesFileNames": [
             "PaloAltoOverviewWhite1.png",
@@ -200,8 +199,7 @@
             "CommonSecurityLog"
         ],
         "dataConnectorsDependencies": [
-            "PaloAltoNetworks",
-            "PaloAltoNetworksAma"
+            "CefAma"
 			],
         "previewImagesFileNames": [
             "PaloAltoNetworkThreatWhite1.png",
@@ -4565,8 +4563,6 @@
             "Zscaler",
 			"ZscalerAma",
             "MicrosoftSysmonForLinux",
-            "PaloAltoNetworks",
-            "PaloAltoNetworksAma",
             "AzureMonitor(VMInsights)",
             "AzureFirewall",
             "AzureNSG",
@@ -4576,7 +4572,8 @@
             "CheckPoint",
             "Fortinet",
             "CiscoMeraki",
-			"FortinetAma"
+			"FortinetAma",
+            "CefAma"
         ],
         "previewImagesFileNames": [],
         "version": "1.0.0",
diff --git a/Workbooks/1Password.json b/Workbooks/1Password.json
index 7cfad028e0c..36f5244b76a 100644
--- a/Workbooks/1Password.json
+++ b/Workbooks/1Password.json
@@ -17,7 +17,7 @@
         ],
         "parameters": [
           {
-            "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a",
+            "id": "1ca69445-60fc-4806-b43d-ac7e6aad63",
             "version": "KqlParameterItem/1.0",
             "name": "Subscription",
             "type": 6,
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 5dc0ef53bc2..27f602be2b1 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -282,7 +282,6 @@
 			"CommonSecurityLog"
 		],
 		"dataConnectorsDependencies": [
-			"PaloAltoNetworks",
 			"CefAma"
 		],
 		"previewImagesFileNames": [
@@ -307,7 +306,6 @@
 			"CommonSecurityLog"
 		],
 		"dataConnectorsDependencies": [
-			"PaloAltoNetworks",
 			"CefAma"
 		],
 		"previewImagesFileNames": [
@@ -5517,7 +5515,6 @@
 			"WindowsForwardedEvents",
 			"Zscaler",
 			"MicrosoftSysmonForLinux",
-			"PaloAltoNetworks",
 			"AzureMonitor(VMInsights)",
 			"AzureFirewall",
 			"AzureNSG",
@@ -5662,169 +5659,169 @@
 		"provider": "Microsoft Sentinel Community"
 	},
 	{
-		"workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
-		"dataTypesDependencies": [
-			"ESIExchangeOnlineConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnlineCollector"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png",
-			"MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png"
-		],
-		"version": "1.1.0",
-		"title": "Microsoft Exchange Least Privilege with RBAC - Online",
-		"templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.",
-		"dataTypesDependencies": [
-			"ESIExchangeConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnPremisesCollector",
-			"ESI-ExchangeAdminAuditLogEvents"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeLeastPrivilegewithRBACBlack.png",
-			"MicrosoftExchangeLeastPrivilegewithRBACWhite.png"
-		],
-		"version": "1.0.1",
-		"title": "Microsoft Exchange Least Privilege with RBAC",
-		"templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeSearchAdminAuditLog",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.",
-		"dataTypesDependencies": [
-			"ESIExchangeConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnPremisesCollector",
-			"ESI-ExchangeAdminAuditLogEvents"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeSearchAdminAuditLogBlack.png",
-			"MicrosoftExchangeSearchAdminAuditLogWhite.png"
-		],
-		"version": "1.0.1",
-		"title": "Microsoft Exchange Search AdminAuditLog",
-		"templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).",
-		"dataTypesDependencies": [
-			"OfficeActivity"
-		],
-		"dataConnectorsDependencies": [
-			"Office365"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png",
-			"MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png"
-		],
-		"version": "1.0.0",
-		"title": "Microsoft Exchange Search AdminAuditLog - Online",
-		"templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeSecurityMonitoring",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.",
-		"dataTypesDependencies": [
-			"ESIExchangeConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnPremisesCollector",
-			"ESI-ExchangeAdminAuditLogEvents"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeSecurityMonitoringBlack.png",
-			"MicrosoftExchangeSecurityMonitoringWhite.png"
-		],
-		"version": "1.0.1",
-		"title": "Microsoft Exchange Admin Activity",
-		"templateRelativePath": "Microsoft Exchange Admin Activity.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeAdminActivity-Online",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).",
-		"dataTypesDependencies": [
-			"OfficeActivity"
-		],
-		"dataConnectorsDependencies": [
-			"Office365"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeAdminActivity-OnlineBlack.png",
-			"MicrosoftExchangeAdminActivity-OnlineWhite.png"
-		],
-		"version": "1.0.0",
-		"title": "Microsoft Exchange Online Admin Activity",
-		"templateRelativePath": "Microsoft Exchange Admin Activity - Online.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeSecurityReview-Online",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.",
-		"dataTypesDependencies": [
-			"ESIExchangeOnlineConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnlineCollector"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeSecurityReview-OnlineBlack.png",
-			"MicrosoftExchangeSecurityReview-OnlineWhite.png"
-		],
-		"version": "1.1.0",
-		"title": "Microsoft Exchange Security Review - Online",
-		"templateRelativePath": "Microsoft Exchange Security Review - Online.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
-	{
-		"workbookKey": "MicrosoftExchangeSecurityReview",
-		"logoFileName": "Azure_Sentinel.svg",
-		"description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.",
-		"dataTypesDependencies": [
-			"ESIExchangeConfig_CL"
-		],
-		"dataConnectorsDependencies": [
-			"ESI-ExchangeOnPremisesCollector",
-			"ESI-ExchangeAdminAuditLogEvents"
-		],
-		"previewImagesFileNames": [
-			"MicrosoftExchangeSecurityReviewBlack.png",
-			"MicrosoftExchangeSecurityReviewWhite.png"
-		],
-		"version": "1.0.1",
-		"title": "Microsoft Exchange Security Review",
-		"templateRelativePath": "Microsoft Exchange Security Review.json",
-		"subtitle": "",
-		"provider": "Microsoft"
-	},
+    "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
+    "dataTypesDependencies": [
+        "ESIExchangeOnlineConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnlineCollector"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png",
+        "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png"
+    ],
+    "version": "1.1.0",
+    "title": "Microsoft Exchange Least Privilege with RBAC - Online",
+    "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.",
+    "dataTypesDependencies": [
+        "ESIExchangeConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnPremisesCollector",
+        "ESI-ExchangeAdminAuditLogEvents"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeLeastPrivilegewithRBACBlack.png",
+        "MicrosoftExchangeLeastPrivilegewithRBACWhite.png"
+    ],
+    "version": "1.0.1",
+    "title": "Microsoft Exchange Least Privilege with RBAC",
+    "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeSearchAdminAuditLog",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.",
+    "dataTypesDependencies": [
+        "ESIExchangeConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnPremisesCollector",
+        "ESI-ExchangeAdminAuditLogEvents"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeSearchAdminAuditLogBlack.png",
+        "MicrosoftExchangeSearchAdminAuditLogWhite.png"
+    ],
+    "version": "1.0.1",
+    "title": "Microsoft Exchange Search AdminAuditLog",
+    "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).",
+    "dataTypesDependencies": [
+        "OfficeActivity"
+    ],
+    "dataConnectorsDependencies": [
+        "Office365"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png",
+        "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png"
+    ],
+    "version": "1.0.0",
+    "title": "Microsoft Exchange Search AdminAuditLog - Online",
+    "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeSecurityMonitoring",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.",
+    "dataTypesDependencies": [
+        "ESIExchangeConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnPremisesCollector",
+        "ESI-ExchangeAdminAuditLogEvents"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeSecurityMonitoringBlack.png",
+        "MicrosoftExchangeSecurityMonitoringWhite.png"
+    ],
+    "version": "1.0.1",
+    "title": "Microsoft Exchange Admin Activity",
+    "templateRelativePath": "Microsoft Exchange Admin Activity.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeAdminActivity-Online",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).",
+    "dataTypesDependencies": [
+        "OfficeActivity"
+    ],
+    "dataConnectorsDependencies": [
+        "Office365"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeAdminActivity-OnlineBlack.png",
+        "MicrosoftExchangeAdminActivity-OnlineWhite.png"
+    ],
+    "version": "1.0.1",
+    "title": "Microsoft Exchange Admin Activity - Online",
+    "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeSecurityReview-Online",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.",
+    "dataTypesDependencies": [
+        "ESIExchangeOnlineConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnlineCollector"
+    ],
+    "previewImagesFileNames": [
+      "MicrosoftExchangeSecurityReview-OnlineBlack.png",
+      "MicrosoftExchangeSecurityReview-OnlineWhite.png"
+    ],
+    "version": "1.1.0",
+    "title": "Microsoft Exchange Security Review - Online",
+    "templateRelativePath": "Microsoft Exchange Security Review - Online.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "MicrosoftExchangeSecurityReview",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.",
+    "dataTypesDependencies": [
+        "ESIExchangeConfig_CL"
+    ],
+    "dataConnectorsDependencies": [
+        "ESI-ExchangeOnPremisesCollector",
+        "ESI-ExchangeAdminAuditLogEvents"
+    ],
+    "previewImagesFileNames": [
+        "MicrosoftExchangeSecurityReviewBlack.png",
+        "MicrosoftExchangeSecurityReviewWhite.png"
+      ],
+    "version": "2.0.0",
+    "title": "Microsoft Exchange Security Review",
+    "templateRelativePath": "Microsoft Exchange Security Review.json",
+    "subtitle": "",
+    "provider": "Microsoft"
+  },
 	{
 		"workbookKey": "ibossMalwareAndC2Workbook",
 		"logoFileName": "iboss_logo.svg",
@@ -8364,7 +8361,10 @@
 		"title": "Data Latency Workbook",
 		"templateRelativePath": "Data_Latency_Workbook.json",
 		"subtitle": "",
-  		"provider": "InspiraEnterprise"
+  		"provider": "InspiraEnterprise",
+		"source": {
+			"kind": "Community"
+		}
 	},
     {
 		"workbookKey": "User_Analytics",