adding files from #11384

Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json

@@ -1,6 +1,6 @@
 {
     "id": "MicrosoftDefenderThreatIntelligence",
-    "title": "Microsoft Defender Threat Intelligence (Preview)",
+    "title": "Microsoft Defender Threat Intelligence",
     "publisher": "Microsoft",
     "logo": {
         "type": 258,

Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json

@@ -1,6 +1,6 @@
 {
     "id": "PremiumMicrosoftDefenderForThreatIntelligence",
-    "title": "Premium Microsoft Defender Threat Intelligence (Preview)",
+    "title": "Premium Microsoft Defender Threat Intelligence",
     "publisher": "Microsoft",
     "logo": {
         "type": 258,

Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json

@@ -1,86 +1,86 @@
 {
-	"id": "ThreatIntelligenceTaxii",
-	"title": "Threat intelligence - TAXII",
-	"publisher": "Microsoft",
-	"descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
-	"graphQueries": [
-		{
-			"metricName": "Total data received",
-			"legend": "ThreatIntelligenceIndicator",
-			"baseQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") "
-		}
-	],
-	"sampleQueries": [
-		{
-			"description": "Summarize by threat type",
-			"query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            and ExpirationDateTime > now() | join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType"
-		},
-		{
-			"description": "Summarize by 1 hour bins",
-			"query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            and TimeGenerated >= ago(1d) | summarize count()"
-		}
-	],
-	"connectivityCriterias": [
-		{
-			"type": "SentinelKinds",
-			"value": [
-				"ThreatIntelligenceTaxii"
-			]
-		}
-	],
-	"dataTypes": [
-		{
-			"name": "ThreatIntelligenceIndicator",
-			"lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-		}
-	],
-	"availability": {
-		"status": 2,
-		"isPreview": false,
-		"featureFlag": {
-			"feature": "TaxiiConnector",
-			"featureStates": {
-				"1": 2,
-				"2": 2,
-				"3": 2,
-				"4": 2,
-				"5": 2,
-				"6": 1,
-				"7": 1
-			}
-		}
-	},
-	"permissions": {
-		"customs": [
-			{
-				"name": "TAXII Server",
-				"description": "TAXII 2.0 or TAXII 2.1 Server URI and Collection ID."
-			}
-		],
-		"resourceProvider": [
-			{
-				"provider": "Microsoft.OperationalInsights/workspaces",
-				"permissionsDisplayText": "read and write permissions.",
-				"providerDisplayName": "Workspace",
-				"scope": "Workspace",
-				"requiredPermissions": {
-					"read": true,
-					"write": true,
-					"delete": true
-				}
-			}
-		]
-	},
-	"instructionSteps": [
-		{
-			"title": "Configure TAXII servers to stream STIX 2.0 or 2.1 STIX objects to Microsoft Sentinel",
-			"description": "You can connect your TAXII servers to Microsoft Sentinel using the built-in TAXII connector. For detailed configuration instructions, see the [full documentation](https://docs.microsoft.com/azure/sentinel/import-threat-intelligence#adding-threat-indicators-to-azure-sentinel-with-the-threat-intelligence---taxii-data-connector). \n\nEnter the following information and select Add to configure your TAXII server.",
-			"instructions": [
-				{
-					"parameters": {},
-					"type": "ThreatIntelligenceTaxii"
-				}
-			]
-		}
-	]
-}
+    "id": "ThreatIntelligenceTaxii",
+    "title": "Threat intelligence - TAXII",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "ThreatIntelligenceIndicator",
+            "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") "
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "Summarize by threat type",
+            "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            and ExpirationDateTime > now() | join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType"
+        },
+        {
+            "description": "Summarize by 1 hour bins",
+            "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            and TimeGenerated >= ago(1d) | summarize count()"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "SentinelKinds",
+            "value": [
+                "ThreatIntelligenceTaxii"
+            ]
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ThreatIntelligenceIndicator",
+            "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "availability": {
+        "status": 2,
+        "isPreview": false,
+        "featureFlag": {
+            "feature": "TaxiiConnector",
+            "featureStates": {
+                "1": 2,
+                "2": 2,
+                "3": 2,
+                "4": 2,
+                "5": 2,
+                "6": 1,
+                "7": 1
+            }
+        }
+    },
+    "permissions": {
+        "customs": [
+            {
+                "name": "TAXII Server",
+                "description": "TAXII 2.0 or TAXII 2.1 Server URI and Collection ID."
+            }
+        ],
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "Configure TAXII servers to stream STIX 2.0 or 2.1 threat indicators to Microsoft Sentinel",
+            "description": "You can connect your TAXII servers to Microsoft Sentinel using the built-in TAXII connector. For detailed configuration instructions, see the [full documentation](https://docs.microsoft.com/azure/sentinel/import-threat-intelligence#adding-threat-indicators-to-azure-sentinel-with-the-threat-intelligence---taxii-data-connector). \n\nEnter the following information and select Add to configure your TAXII server.",
+            "instructions": [
+                {
+                    "parameters": {},
+                    "type": "ThreatIntelligenceTaxii"
+                }
+            ]
+        }
+    ]
+}

Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json

@@ -1,70 +1,70 @@
 {
-	"id": "ThreatIntelligenceUploadIndicatorsAPI",
-	"title": "Threat Intelligence Upload API (Preview)",
-	"publisher": "Microsoft",
-	"descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
-	"graphQueries": [
-		{
-			"metricName": "Total indicators received",
-			"legend": "Connection Events",
-			"baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'"
-		}
-	],
-	"sampleQueries": [
-		{
-			"description": "All Threat Intelligence APIs Indicators",
-			"query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc"
-		}
-	],
-	"dataTypes": [
-		{
-			"name": "ThreatIntelligenceIndicator",
-			"lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)"
-		}
-	],
-	"connectivityCriterias": [
-		{
-			"type": "IsConnectedQuery",
-			"value": [
-				"ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false"
-			]
-		}
-	],
-	"availability": {
-		"status": 1,
-		"isPreview": true
-	},
-	"permissions": {
-		"resourceProvider": [
-			{
-				"provider": "Microsoft.SecurityInsights/threatintelligence/write",
-				"permissionsDisplayText": "write permissions are required.",
-				"providerDisplayName": "Workspace",
-				"scope": "Workspace",
-				"requiredPermissions": {
-					"write": true,
-					"read": true,
-					"delete": true
-				}
-			}
-		]
-	},
-	"instructionSteps": [
-		{
-			"title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: ",
-			"description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. \n - Note: The 'Status' of the connector will not appear as 'Connected' here, because the data is ingested by making an API call."
-		},
-		{
-			"title": "Follow These Steps to Connect to your Threat Intelligence: ",
-			"description": ""
-		},
-		{
-			"title": "1. Get Microsoft Entra ID Access Token",
-			"description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n  - Notice: Please request Microsoft Entra ID access token with scope value: https://management.azure.com/.default  "
-		},
-		{
-			"title": "2. Send STIX objects to Sentinel",
-			"description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01  \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of STIX objects."
-		}
-	]
+    "id": "ThreatIntelligenceUploadIndicatorsAPI",
+    "title": "Threat Intelligence Upload Indicators API (Preview)",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+    "graphQueries": [
+        {
+            "metricName": "Total indicators received",
+            "legend": "Connection Events",
+            "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "All Threat Intelligence APIs Indicators",
+            "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ThreatIntelligenceIndicator",
+            "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.SecurityInsights/threatintelligence/write",
+                "permissionsDisplayText": "write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: ",
+            "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. \n - Note: The 'Status' of the connector will not appear as 'Connected' here, because the data is ingested by making an API call."
+        },
+        {
+            "title": "Follow These Steps to Connect to your Threat Intelligence: ",
+            "description": ""
+        },
+        {
+            "title": "1. Get Microsoft Entra ID Access Token",
+            "description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n  - Notice: Please request Microsoft Entra ID access token with scope value: https://management.azure.com/.default  "
+        },
+        {
+            "title": "2. Send indicators to Sentinel",
+            "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01  \n\n>WorkspaceID: the workspace that the indicators are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of indicators in STIX format."
+        }
+    ]
 }