From 1d9d9bbdbe74c018f6dfc7b0927b39225a8e6e40 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Tue, 12 Nov 2024 14:52:49 +0530
Subject: [PATCH 1/4] Repackaged - PaloAltoCDL ,Akamai Security Events

---
 .../PaloAltoCDLConflictingMacAddress.yaml     |   8 +-
 ...AltoCDLDroppingSessionWithSentTraffic.yaml |   8 +-
 .../PaloAltoCDLFileTypeWasChanged.yaml        |   8 +-
 .../PaloAltoCDLInboundRiskPorts.yaml          |   8 +-
 ...oAltoCDLPossibleAttackWithoutResponse.yaml |   8 +-
 .../PaloAltoCDLPossibleFlooding.yaml          |   8 +-
 .../PaloAltoCDLPossiblePortScan.yaml          |   8 +-
 .../PaloAltoCDLPrivilegesWasChanged.yaml      |   8 +-
 ...aloAltoCDLPutMethodInHighRiskFileType.yaml |   8 +-
 .../PaloAltoCDLUnexpectedCountries.yaml       |   8 +-
 .../Data/Solution_PaloAltoCDL.json            |   6 +-
 .../PaloAltoCDLCriticalEventResult.yaml       |   6 -
 ...loAltoCDLFilePermissionWithPutRequest.yaml |   6 -
 .../PaloAltoCDLIPsByPorts.yaml                |   6 -
 ...oAltoCDLIncompleteApplicationProtocol.yaml |   6 -
 .../PaloAltoCDLMultiDenyResultbyUser.yaml     |   6 -
 .../PaloAltoCDLOutdatedAgentVersions.yaml     |   6 -
 .../PaloAltoCDLOutdatedConfigVersions.yaml    |   6 -
 ...loAltoCDLRareApplicationLayerProtocol.yaml |   6 -
 .../PaloAltoCDLRareFileRequests.yaml          |   6 -
 .../PaloAltoCDLRarePortsbyUser.yaml           |   6 -
 Solutions/PaloAltoCDL/Package/3.0.3.zip       | Bin 0 -> 16630 bytes
 .../Package/createUiDefinition.json           |  60 +-
 .../PaloAltoCDL/Package/mainTemplate.json     | 982 ++----------------
 Solutions/PaloAltoCDL/ReleaseNotes.md         |   7 +-
 .../WorkbookMetadata/WorkbooksMetadata.json   |   3 +-
 26 files changed, 112 insertions(+), 1086 deletions(-)
 create mode 100644 Solutions/PaloAltoCDL/Package/3.0.3.zip

diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
index 81401f5c774..5896c8273f1 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Low
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -41,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml
index abf28003630..fa10805393f 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -42,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml
index 9a6dab968bd..911bed836ce 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -38,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: FileCustomEntity
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
index 5baa1a91f52..5ef42bacff5 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -35,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml
index 62b781dce53..23f40b19968 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: High
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -41,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml
index f2686a7c25d..cb2a057acf0 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -38,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml
index 9bdf086a6a3..038b0fa17f0 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: High
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -35,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml
index a6d86b1007e..4d322af5ea8 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -40,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: AccountCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
index 02aebf9a6c0..4ab6e4eea8c 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: High
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -36,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: FileCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml
index 9ce90b596bb..069b83cab9d 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml	
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml	
@@ -5,12 +5,6 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -39,5 +33,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
index ed4b296cc48..a286bb9d729 100644
--- a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
+++ b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
@@ -21,10 +21,6 @@
     "Hunting Queries/PaloAltoCDLRareFileRequests.yaml",
     "Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml"
   ],
-  "Data Connectors": [
-    "Data Connectors/Connector_PaloAlto_CDL_CEF.json",
-    "Data Connectors/template_PaloAlto_CDLAMA.json"
-  ],
   "Analytic Rules": [
     "Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml",
     "Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml",
@@ -43,7 +39,7 @@
 
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoCDL",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml
index c2108395bd9..cb6c5cc49da 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows critical event result'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml
index 68a1bc837aa..6cfe481311c 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows file permission with PUT or POST request'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml
index 331208ffe6c..efc46cf2cf3 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows destination ports by IP address.'
 severity: Low
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml
index 66496442fd6..b412b0a3908 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows incomplete application protocol'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml
index 6473eb5e7f3..4b6edc9a17b 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows multiple Deny results by user'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml
index 0aa78622ebf..0274a20abeb 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows agents which are not updated to the latest version'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml
index 8d2279994f2..439d8c41740 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows outdated config vesions'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml
index d70b005bff6..f19781610a2 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows Rare application layer protocols'
 severity: Low
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml
index 8492ccf00ab..c737cd51626 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows rare files observed'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml
index e12311d296e..4b6588e22fe 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml	
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml	
@@ -4,12 +4,6 @@ description: |
   'Query shows rare ports by user.'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: PaloAltoCDL
-    dataTypes:
-      - PaloAltoCDLEvent
-  - connectorId: PaloAltoCDLAma
-    dataTypes:
-      - PaloAltoCDLEvent
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
diff --git a/Solutions/PaloAltoCDL/Package/3.0.3.zip b/Solutions/PaloAltoCDL/Package/3.0.3.zip
new file mode 100644
index 0000000000000000000000000000000000000000..8f1142309f39c9f0656d566110b6fd7f7163e393
GIT binary patch
literal 16630
zcmZ|1Q<Nsn5-!}Bw%yaVZQHhO+qP}nwtL#PZJX1^-{0QfKL5=*RTs7D&B(}%$Q4gM
zQEx@bNdo^u1^@s62iSMCQirxYGg^lP07wu706_cs)zHCM-^p0nT*%nO+{WC=+}4K1
z!qL`d3)9jTllA@`@EJF(8<^_1$Ex^xQD1TJw9Gny%RyxJaiI0DMH=GzV;WYXm52<C
zQ``1jm!3nDHrg7O&xq!fJv_0d!?>(x=+MKJp6_V*o80x>`Zy2Ta8^c=W!lhzCS&;d
zFd6kx0>(UFq6iqT-zMH3ZOp4UTxTN@*^Vr@*JL6v@3$_g(r$w=sdIX~2qE97us$mc
zZ=oxVmQ!ZP;3am|-q)1nM}yEJE;gni&@Wl!Fi7}z#`RU4B@rQ$0PuWXLnLO8#!Pz)
z4S*SKU!&i76n?`HC>ehva_E;fS7_*%K&9RzMo2VYb-A(-t3OmpL0plu;Yv0q6YLAp
z15jWbz}*eW#lNp`1qfr)(198O#`f}&A!I5-!IVbh=^RX5ZOIOm)<bxLQ+Rw}_su-^
z<JsXRp;f%Uv_C+2OrvB?OJ2V2h&aMoSbdX2x;Hn8zyjo_!VHi~!r})f(bL8753@uS
z8BCDM(f8t6l)$a}e6sN$6Lz(}-!FO&yNzv&6R~<s&o<kVc&-km#D3ecFNx5*FrTdr
zx@_~KJ0U;?m|;z!>tW7=;K{_y5U|IBuW;C>mYU|}c$76BIXE>3%lLN^nT*THi4vi^
z_cM>lpT)OLH`Gm+0~&yU#~TV|<6R%Bnj9-+n*%8&p--JW@I%v)jgSS_UEUQlTuMIa
z^5%s+fp8mcC5+T3oM1gpJ8YNIV>|Xu0o4N`r?DKOrx4^}!GZyuT^xfn%ex@3XZPRo
zoSw2j|E|#3QJ5&Wgfhzx)K|l^T=I60>9yJp4%YwMFCtE}5{2742ITpIU6&>d=m-BI
zLf~SA-aoT)vic-a5trcrpdm$r8sz;MlI18N@=kaek!D+z90msojf)Cyj+<wqc56_<
zjt10BgoF+SzVr(V7>_|5MCWJ8<SsH9F5F!oF{(?66zTQw*t+;sckNlwrn0f7kcppy
zEdvjcPb~%bqfgaHK*<52{e|h+-P-)3(2N`%lcdHLu5jEN{vNI!n}p2Lj8<o1$!}a+
z+u+E7Ff5*tLVtoM;7Gcwv_uh5poY93dK0LvcLiVd5XBE&@IokZ-Sig6JfkZkKp6WQ
zYcDbzHqzs@w$Z#ME}D{4eV+FPw+A4)cIO;;J2SX!)gGkfBay^~->>mo&@SKMcES(B
zP~P-@R6joYAdG|zjbB%!!W8XW7tLLr=Qr1+y-C3xc>To>mNTK6s7<S82u9gJ>GgCN
z_l9Bz+^Ob9yKVYtvr{K2lEqvD>5DJuRKM<Jn*^p)jk4{rYw}HyohNh@DVc<~85J6%
zW91QGL|G`(69(ywgp}WAU-6<+!*QhL=SDl7ksz^$@r}5<a5mALwN%=dN&24jIYdg8
z@0NpM?GlY+#M|OK*giGnkBCfGAFRsAN4DTbFSkQ>q?0c!DvL=_z_KsuZ~U_F2RSA&
zyDGj1;Os-v@CAe&W_b1<1~y3NV-n0A2^inpRRzj1B^pu8BrlKAn_HaZKp}DI04}QA
z*f`JeP*(8`Ni)kxG9sa8z4!6)R$7u8t(%;z0lx_JaMC&m3U-^_u&dfD0ewV@cITbA
z((!-aIJfOSwY9bd=$D?Sma|CM{|Et+I+)W_9dkoN41#RRGbDlUQpYp^q-G=!V6x_J
zy2nq_YIsaQ{Z(h+2N4ym1aw40xK|cbi13y|;ct)A-&8ZUhye@bQwStv1A;!^mPlbl
z${af_vIM}=5$O2qCLX#*Qs*;G)MAU?0nS889arqn2BEuV;g>UD-T(~L6&JloolJ=^
zrmn0)POclRY*#c6KOJX<D2q(jcDO0M`E~cIU%71RBeHWQCF-Jg&_w+_aXVjnLH6-B
zFyiuy#>w32cx8mr4d}(%1YX5{z#xFoP~c{yC#MS%@ZG${0I~f*WHHN<eP<k42g_j%
z4=R(M=%yN|RsjC#Z_qIfHSHK2W|l|%M&{-^m-62@fR8=+`&mmNqiitK&0)a{dl>E7
z)TPcHdWv9(zGCerQiDeLNDLq#B4igK^G&Gj7F6{j)b~tCh>QSMqi$nnKpehn*X5#l
zzwf7nPPo|#TsSh_lU5CExNj?pwA*r*=sdU&0CPFeR43g!MFc}D?~O^?xSE3{k)N~P
z0=7DXKwR3)>tFTjb1^f1A?nEp<IW!6Ho_GsxjY<F%lgV&w*hmu+D?xN&Z0MU907s|
zX0$}QfQeZp^nh{puJ2A<!hJK@_k{QsVr$H9R0d(Y1Zxy6n6S8yN_BWLa~b`*BdBYa
zN)(xLmNsE7U&4^tk}a(@>*1g$n_n`4<F>f`Qi0oQTgB#fVhm~hI}2h0*C(hNslaX_
z)CUT=X%8NbsuED+*!pM6N8gQ4O$a|v)pVY^V=EyucKZr+(l7KP^S6WM^QREz@2|%@
zGx)b$x7%|7t>1hoNj?orJ+d}1&lvB2fZtWGN~%+@6F=u*^Z5bJs)h$$3EFg9(`=pR
zK&~wv=Q>pi^irXpbd=z$v;~(3r>L0e9@k)@Ql>z@H>XW^BuZr0<H>Da3?A{}qkvGU
zZ%aYX+p4h%&LU(;Hg(&xa;vnb`(VU-O!;}OMQ3f<KoQcyUl=i@D>IEb&ub99J6yu2
zO{w}D6q08>Q+66%4xd>tCVmNcsPKyt4@qNLt%vQuMGeB+od+*;jz6xg8;{!xJab3B
zbh-$6;WbnD!dpQ9ovA|VX9Nyop|7)Y-pCJ#X_jRD6LRQ@dihKZ<w8(2xDb>qdH)_t
zIF>c+iMsWWA{^=yVwSrcx~1$ggBx=RNpPd?M!Sx%4K}(fUiHFW^h<H|WxCvk`rW<W
zg<NCYiifk_6D{=K6ZHh{D(nFO2v~)=&O&J3kUb%LU0=Fz5+VZG?nvQF|4Jdob}Gmd
z_3KH6bKaM5X%%N&kRnY8wAQjpt7}8kGPPF5Y0{ep>8hxUquYY6ym9xspPDz~sgiP}
z@o{?c<Z(Po(uusa*pnG0&*Jwp#pnjAV`Un5SA<On?ihSmOF|{0=VtZVy;vtm0EuTv
zTrwUl^+iJGigPOZyIN%D?{sP<6Kqf#jf&}OGFY4_$o|W0fmMED1LvbPNI*-+gi|6^
zp_xOhE<>d5!S#Gg>d4FM;^E9xPAdjT@;*g{6B1+6A%rv-3`0~;2Z?#iV71>|{YXjI
z+1;1b%|*o?wba1FQo)<#PB>m{0t#^3*f>Y+LX;7We==$-*%C1ucJEFVB#Do-L(t$B
z-g{c0Lseh5ajIyjD`#)<oJh?`+S!mixHuLxeq-+2P@&_<jnwb@3`-J6KUSiNTwztp
zW&cH~*IwFFRs3>eDlI;5^QH#*0B%L1zPE#04lRyRSv2upvRAe42W@bcc|MTONTIkX
zBtH&W(>`|rT6mMVsmYKdLYC!g=WUd=Brq341bgC^b}3xY!KG-sb8{*!p8xI~EV`7;
zl>*vXS1kCO4cI0@lu7Qxl`%ihKH&MDG6iuSKx6gE4Rdu>Hu(mNrIp+s^Egt-NsVox
z2D+bu{6asRT1Ls0S&{dRw<x?+?#+cUzdRPI9B<INrtzn9cpx?-LaEHVt@Hf8&}?Qs
z;zR*n@u2AKSG8Btifc}Z#|TnQ)0x+SBohWmHfNW}Mg0r}3J0!#bhp>5d;9%-BlG(s
zRcZeH<z%H?imwv|-Vrc=khvPQ?~R!|<ah7RH?Z9Qp~I9;R_fR{hEO=n007cvKmZ6o
zbl6(o+(yaR+Ro~S6#s_^Uus`CY_O$#^(eo?l3l5c$*8wnrzAKmvANLHxM0O5JGHR5
z6yqZ%u$71f7hSe3Z2P|3;_5#i9g9C<X_3YK5?+<rpT2hMC?(znI0?AH(sJYT{ygy|
zD0-@`XEb!w@RYD<BvK!gb#)OMd&&ZJ8b78IYdO1_2(#wg(^?+lyfU#|HFLq7T8^1O
z^>GVyx>@zwTL`lLriKmlEw{D@l|d(xd!~#upoNZ;wd@T4PW<bbB9}@+)~8D4N6;Z<
zq90Ub%S8%#V3!aF8lD;{j85#EUdezg=G4D7DIbKc87<(O4#1co=08dlHA?<>z?&BW
z4mQ?u^;G3ncQz~l8ZU>$AD4p(VSk)}Ov(lox-&L$6sjbGv0@iwger}MvCO(ULYpOD
zlJ_<FO>+C%aB$!5H~XbBG7TDL=0?Os@V06nRzvM-cvo;zxeFqR(QiiA$f#5Z2z1AE
z$%Hs6Gb|*GDNJz(i1iVO*DEy!^C*+Oc~{KYrn@X=orO_n0kfwK7JOXvy8t%*#UUMW
z2E)VF3%ZUdv_*Xw;$z!Gk7IVm{h>kQcvlcAQhBzM!;yC)YdJ-Sod~#Ai>L_g^)*)8
zQO?W@LO*zPo5h*cqyqw?AL^(gCvS+92+9|YPXW(bmWzlQ;eEVY`nC+ojOnbbyR+F<
zw#;34k1;hqXHt9*HWd2{kIdEYz)s=`_<V;b2Wdd9AuK*QFuK>X%kPz~i(WD%vbiE^
z;I?6@x8{a5=rrnAcYIb|&_)QBpJOBKA-odd$YX*sXIeI~Oww1FBC#hwJ2ipU+-RX;
z?inCpK+cKd)UrsvEcw<*Q))B^ZI!J~)hP0%Oc0=@hZP09d440Xe`BHoSpXs0g<D+A
z5m`jsmYgnTL{mM03^E&gjqV{4$Goua(&;@VrNo#9Gs+SaG8n-dZhJKYGfFX$c;I1t
zr@ZW3yEpRSwo}R=X9QP`ErRqk0q=FRJBdXI26b9si|yGQ|MS_R_C==V-|S>8!ec5z
z+II1ya$DtQ8?9K(ztzUO-Z~6>XqXwhxlsuh4VYy2g+}Lum0YRERLs_W^OS5o+I3-}
zjOV2iC4IlDbqdPF4cMP^Me;kH6#9z$5O43Ih@Gme|7MtVys3P8Xr17O)$NL@$vw%h
zXR&_b4Z&k8{noalS5waCVx`dwO%t{q@eO3pPYw^r6<Wdu07bO;bGHv^G%sSebmT!w
z52HO!x*bj~wMHmHs5Vgjdz4xMKN9{(UdtTeNV^=*@*pWvb!CJCg#)urqtY)~AqkYK
z`$5A-B#WAUQs%qEXf7H8-ox8`a!`I5B0Gv`U~9`~;WsO0w@M`Qu5KxP&Ld~EN#{n1
zOyz<V%Z7%mhiEK=LgP$ue1kkcv}UpUhVrrXMrLYa%URKgMmNnki+h^;My!zzCJNQm
zMmdA+$aYs&5-e!omVWETDMzO@{zl%BiP42xM(cyvakG5ieAgDmgUi*_gt%*V{l?Y6
zpNbWWR-BOSYr^yu5fI6Tr;5pqMpjx<YnRUMue@0Q$}OKXchCO~P|IMu^D{ux%0)Ek
zmP&1(MrXB1YRA=Z-Bu91NT<_ksBee%$b8qQC_`;DWXkbYHN#C!w>!IeuJg#})^^_9
z^{h_e238Da6O_FbTZr`QwI7W3$Z}Wbzxp}L7;bw1(J!tUxTTX@VCsy6iUs<=#wv!J
z*`G$I)%>axnRT`+7u*&Hbe;rvYo$6S+e&p~T^W6IJ^l;7_eW5#W9Q9KKsBcqaFUj}
zJ~IP~8Nrzp9>%N9$G4AZ>5(ncY`PxDi%#p|Hmd`R_jBy(ooh6!)|*DMJ{JouyHwrQ
zz1*$c3j(h3<9O88R~HSV=Z_M8_gQu1=xcA(WSp)-ssc35>|X;MU|GaL8_Mu9t|MC#
z;Ewb3SI?XW+M60O9j?K4?|bkqd$w?UxDEWQe5*2%oP2GcFYqn%;(>N6i2d0V;H9MS
zOY&)nu$tW@&hNmF&3)SVo9=8u)-M}^FQHfgX$5u3sIGo?CwKT(#S7d8cCC>8+MYk7
z*l##*&^XJ@?)}Jn{~vj#^nc}_|0|ETSs7sGk)YBYw_9}ZXX664!wvdK!z!f_{@NQD
zT=TXy^cIeNl97K^;-8s4lls*~%RH-zJyzmvwuaJ?X4lzU&N^m!RtLYsh1S9NdV+t)
z0V@IrT{X1<2ffF_=~HH31MY26fZwbOrX{*~baHbzWjt$$UGiY{vwU3Pe+a@B!@##J
z?8CxudwYRvo;ksR!&TsM)&1zcf+i7MwzB6x)5hm|0fleb{l`lVx3&TQG5B^@7C;~K
zAMN@mL7`9Z$3=-MnJ`<P0&XvM;2Zy$w|kp`hM1bUJs3C~E^faH#};sZd#NZWbZrif
za-iBQENM(*=f)XJhmB;8eyt}@s&KuR&LbZB2Dl#F0q(=E38w~=;$dvNtffPHKdWLT
z;y6VUca)oay~`cVzIZAG?5bko5{)whhDdbh#AlfKO47U;(R{}{kznVP8v@8$E;P3*
zF~{QVg3jLl1sjy6%&VBT$t5+R%W=aMjPkAn{Yh3@H`(R6CQY8^SP@&Zs_W@f80{84
zf6N{j71X^W+%>dW@FAVz2HQ<iv<{t|VOTk>gH6bQ#r7ga)Kq9@Ap9YEd^E}_Jtw}p
z!3Ek>v1G<nm8L<%dwz{fEzdD4=h7<)XuPpah&}JAa<sDiu?GB|?|$8Ju?&fUbO?dU
z!?#GS_a%UQ*w(f2CQ`xdzTCx~l}pt^U*p~W+6*I*gQ;crA$|@))TDjun+sHPuvDF1
zLtU;y1V@-(AkQ|;8Nlcqz-OCop%m5AeGY>OX*-1yUF|N7Q8R+|Xe;;Jo2b82-1#JS
zJ?Q<;MYN+S)Xbd!PMTq#;+xQs{CVbdgbOxlu03Hsqd93VJ#q6+&}ZeOJIh*WnYP4n
zQ-)T?^@m3Q#MP9e!iV0;!=j(o<aKwrf7*&9mCZ?TW$c0qM_cw|@Iyge6&R)g$`Pj@
z^`kSAGCVdIqn%)b7@IKetwl&6mAyxU&f)5t2rnbar`OlTt0S4*BEi)S`Gc#I$fh5O
zE?z?A?+@^_MnlVzq_`k?d+J8o4OpW6VF6yxGGp1AN2HN(k<8~r48zd7pNt*i&UqU0
zan$Hr5pn`<m4@NOY&Kt!Gl9u=owu>&92#x!xN7V4-kCjIcLj@Ky>1ZrR41%?g>%yz
zAxZJZ>38rOrX&hYa;)=Ket?#=3ZPCeIu$v%=2}6Dz*a6=yQ`=7+lCnF6vi>%fS;-+
z)PQbx1uOYDohPKh`%l*bZ8`d5Co%J<iL0E#(lyM+R04-|BvcI;dVpvZZ8-l)(&rV(
z?C@ALE%cvTFI}|@M%iCTsJ8vCDBi|%?$$XX%XZA9o<r>Hp~ENv0EyKqs7cw7awc;9
z#D~o8ww%1N(=&m*qgbf1Fi{v(Bscv*Z(S@Tp1Ug(cx$Uf_g@rAOmndawzX=0=Vh9+
zx{A;|(MTA?t*6Br_`iZRum5=LF$I*rJ^e;w4DlnjPIC)yYD7MyJ{?Ji^s2>fz>-pJ
zqUE1ljD@y&fDuLP9*s;z4>CXZB#Qu6RO!Fq|2sr=!RKHHXvNlrzH*Gq#hQM%{Fyc3
zXpVqkt<N1~($dNP*<i69Sm*G*g(ozMOQbV>QiuMMji8nVSw;33WeZM<L$3!kA@1G9
zS#mcG|5Y^5eY<Fu8Pcf8kR@F?H@KWWXVts{Q<`z}8i_W~pS|Czq<QSY<&s(h_J=dn
zHe!_b5X6@jR$!BXh!wMNlwISplSb+z!3acMmCspNV4VIf$2NOxj+|ctbp#QJms|!L
zqg}uUo`kiq^kHi?6LjJg9i(eYN)f|m$SY&{wr>O=IlIG00qd?{sRk3R3u026o}D)o
z(9`?L;2YaVA(|~~Subp+q0T1;U0P`8yLT1?y7`;epbWkjwl>TA&xHS}(IvX+mQ*Q?
z70X@EujQ8`A*!}=BA~&#q67<Q%;yOS3L?nVrS4$8$5F?%ZfqzH?I8ZiuRV<m?Th{<
z0rMjjvWmW0i{N>S@#IOWE*~5bnpSN@>a}OhpzVbzh6@!~v^}G>zn15oN3)7k5GYr^
zCX32cI-KfeWJ%8B`3Tb8e4$GL9W;xj!aG2yMP7~yVa4~&lJAkhH{p%L3uICPq>svW
zQ`hE9{e~U`1j5<E;_kIab#r0ivD%5j+sE;u9abxAjS)b>-s9Y&PnjHEfKa0Tk-+dG
z2J3tiH72Vlzf_vn_*t2B8F|CgA;NvmQFhRE3mZ8mZZ|g<kwwNFu{eF6AY8tJ!{ZlY
zQiJ0CZmY9!)(r?e#56a=k~QUg(A3T;TiM)k8^MRvta<o7f@GhlVBoA2FZuC$yFdc0
zpPP7Eh)~%Vy4k{S&#GC|t<*gFQOmzSeZQb`Ile!8z7u&LFz-+ucso;V0-do;;f`a-
zeY*)7w>r3Jd?Ep&`!5V_uk*{eFMao4!~clT^OdV2LSDh{!iVqhBAd{=Lc(+IT?iO*
zL7|Dkn-;1gjweM~c`k85pcQQ$wkc167)=o3H1(>2e!a>!*f<<I9D%Vlwq?ulnzU+O
z$hx$`qeNN}TZP61h?i}iv;8CpO(i1kIulW15)HiBB32y<?oC+_9J$i!yMOfQGGxRZ
z`4yG{L$(8F;Rp+V0Q0vHo?OTRhnVWJJbXu#>*KuPA5DVDOPF1l&0oN$(IBRi!Xxbq
z`$d)~@w`L(hu(*n)0E9GaKF^yLV&h3HTyLiVW_-Rc(Vv@W?~L<Jp>75J+F~hGgavJ
zIkoS+;BkY>v*HK=A0J;ELlBc^`#V!#$@&Wq8!yUJCsPb_d=rk1FU{VALdNIJ%4+tr
z>v3aTkC{Lp#*31f{0%j^I(k6lehmltS1LCMN&4D`<S63ZSxUU^hUoHlQBeaLnJ&<E
z?3H8AQw>FhTk-Sw_mlV!aqv@3eb$ZQnH##Kk@HhoCzK4b?GU&#c)OF9EWFZHVbVkU
zl8DN})OvZI#7tIo%8rY(OdQebDzDVtZ!h@0N4@MZc|knjnUr3ZCq>ArbztjC=OR>>
zc1LIhnsPY?*#^P7PlH2Y!Q0z90i);GMkZ~=q6J*?9i=MGj_<K&7`kL2F7lBg^n|LX
zPMHRY{^5>HW#E;3n3+cZ=y4sAF=tq?9?ZV_9durQifoMN$N1>mS)I9k$mB<WN@UU_
z3Dz^XGpM9uW$E=<*$$U%Q9P@L!gHOpPm&qgrXNy55-`ro{5QWncMp4leY`;~MO?Rw
zOo&901x*C<Z-Y<cqeRu>iDVGNAGUYJw___w{lks+t73jXL8y-5I+xn7Y32Yuq_r{_
z#usC0*&$@EmPRhBX4mFfISZhA4|v|%I$sAh0<;&S0ClHk0m$Mv#-|ux^&U>}lLtCE
z`!BYvjNkVmkY}L`G#HP=youK@rsVR)fwv?bROYvz*FaY@Fp2i-=V0Sby(BwwsET*N
zfQzpM9|mII70oNo!4QF^Cf^Mt78Dr?i-!ioU%}<h8F>~K5y`|?6u`CHBCz9Ov}Vli
zoNH)Z+*U1$*1qbDYg@e3s(*93Tl5j>WYyvpJoz>_rRFP?uS03S4pSLW-`-CzGB=<e
zEZ4v7`3K&I(U=Ay0Cfp+BfM_DCDE8C>lCi<*-}}oc5A=E1I-o9R`*&mjyVxsU7jat
zsnI#QYIlmUm9EX!I5~#4bJI$0y{J;lrar|`L!0Z{ed6jh#7lYch&mWsvPLZ--~Wgj
zCSv~9yaOgLqM;&DB@GFMC%{gd14e6FeTTclL|vOQ;g+Q)g_804NKk!vIf@YET~asK
z<*;8zD?fRj1X-W7iXlJRxZ)ZElzmtuq^=eK_wJRw8SJx<#Pw3>?HORf3bTILO=Q*A
z?P3dOowodFTbn)aY7zdROSAbUxfAMVfw#8V{|n$%waRuU(!MjpzB9o7L??=KDT*`m
z!=F%~)!scgy*lUi2F*ew@=j!Wm>gz1Mvs{JuEYT#H{wKCGpO{F*SU}Vw%0V$ZvKRo
zZjASDfRGPvJvwG|9IC9}!{a`G(c4^0ldX>HsKG5=e4sv2uX-#oy+^^YLP`#O=w57#
zIdf>O&HxX}z~U5rr-2XU2(9Xtj_#Ja?$(sb_qp&`!rQ(PB%yqZ#_HbZd*OfrCNgF0
zc2vwgF|7k}=?9-Utl%GD_3*$%bkLJ6L>3O8ma)iQ?I6ARPc~TWSg4enzj`guG=^V~
zI*fnFrlOO{n4nR%D`+S_-nKdyS~h)9X6-IPQo$I#`g;q*VfzQ*-bqXIZ`fIdCkz`A
zs`Tux$D<)wIB!$khHc6aWP&lD?@frC32DbraJPGjZrEQ2b5H6`4nM-+vi(kXFlYx(
zGel?{?-u6H+^_n75uRN;tW%Ww;qlyg5h8;0WzJ5;_UKTXMBTr&7N+JU^@sr7MrtXM
z$92IT7)1vyk~^n4n~=r*wwBLhKriAmY>@CDwZZ^SpW^}PD2R_JIH7jN%aLj*+wG|U
z;%DnWTFdZQnC)WYqCqK<dp<`Fo|(w&pA6fvMsZ9*0O_|iB7t(vcHmT+`?H;De}Cm1
zXPPR$;SM9Iw|N)7rJQnW#I(+va8VL(8wC%NAZW{=j~>CzRWXU!!^?SmCxui-go9kr
z_j^Fc@e><_Cu%Fx5Fq7(oqZ9@=t+b<&~qV`C;K>nDCBS@YTu-XtktR8kTzCkAubYZ
z_Eo{F>>*>g(Td!cO#;|1?z9&!)uuig|9)TJ{t+m))lqGrU@pP7_#V`$D;NxvzKO%o
z&B0owfao}=4UmQnK&qea+DBfT{`3B?y?iF?9{Ph~is5ESpd(f^tgHizgPtvFZUGt!
z_TQ)u9Wt_QdQ;ROAGU7#dS77Vx_26+-P1*~#>ef#f#tXJmhw07J|6NQY<YLSRC=k~
z8hMOsvN>t>W~cUsb8qyHhK>^^lR6mzSK0(KVCAZ$i8;a5ewwuR5Fd3_YYlty!a=C|
z^S<Kv@cpQ%fuKFeelD^CoRz3x<2)(8Vd~BIUdjD_3j{6Fjl)k$L8{#@ZD>QJ*!CG)
zp|I&Ofl~IHgBO-6o}ngV@P%_HQcVigS$m%C?k7}RvZ`xnz&;|J+tBDKFZ?!2Yllv_
zRMmYI@_xejEOti8&!%xYbrPox%5`0mMpmlyV0Ony1S&=Tk4Z-#scuRsN%rpZ6y--p
z;QW$JEiCt=P{VUV5ddGXKdLOeWlwn4{L{+W_2kbRtw`YI@LZ00Zx;z7Nx02f^cZNG
z6;r*DWDHdui@%RCl6Cx<YtEwGBi*rNx_9MDxRUExqSa*T0w(%4`5z=LpWMgvWH=!l
z=OF<_rM|FQ0YM85oiT$w6Uy16Ji|uB*n5e&Zlc-~C|Fvw18t@2+pH4d7R=Dwh3j7z
zz1<iP^TtJ~%XTfRDh>DsSYF9hbWgKK+g*q;q%h<eKhMu~S%+T#4hMM5k*aMQX3#}G
zozI+W9^OmPt_3E{NCHf4yI1?@Y%Ic6))+xDuMwuDSLe3nRgMXpUZlmO%RW7gx=Y8w
zS1Geb-ffmt9icMqaV;DW<OM4yfvm`cSXz*1E@LBIFqwLBU$hKs{G!yXu|`r&)^2}H
z6a>wL=hgA$L%oaZL%PYUtS0DF56R2h?+FEDBxBp}J+tW0|3ip)f|8J=fR=#U-Te97
z^fmE*{rf#d61%;Ft}gB*76VFrV#fNuis&z@KROK@iu9#Y9@SAPq5O5T5+>t>42q<4
z!x7L7Vo5c@LZKjIrwTczeL^+CrpIEjQLj+2fMTwA+A=EV-W(H12|s$8Vx{mLIW7Ur
zV4HJ8QEQO|2to_0rP1#W#a1F=hqOrMQmNWuCcVU{@ZdMbu%$o{=P!bWHdTR=27@FQ
z#r~zY>L66t@~mtNe@iw(YiLa>>Va%lv4cxawVuH?J?Hp>BJU8@b!5qjGy%79MihjW
z3|uDVv4mL(Z!N)a_1FYN-VCzWxX~?wxN+Iyr1NB2K1j=|M-V#WL(_9?MmNgmiXaBZ
z2|UYD<`lHf6e@OF#(n|u!uxkcI(wt{?~Uztn$~JUh?j4bD^9&f(x;>=HME^4qVjut
z8Il?a8858T>Dc-SVacYUa3KpZikQ}xl4JF!xhHW{)&#s&yxvG7$p8uzb;Mbrz-W^L
z!$7+N@S11(7}Hdu-be#fn*EIS89CyVi<wC8&W|F*$@-~KyetlTm4m30tAP{cIyMtl
z<KdK=P#KitiNZY|<2}_svc5eAI}|_90~+p&_Vh1z_Sgr=gh9+34{?$I_DmWE`}Nbt
z1s&dJR71+3eN{*TPXvYY14oAL;Ye^M|BWf(RcxFl8HN-^8+xq4ZpL&W4DnGJl^##v
zWbe}Y(xGWz%zB4=8SFf~?KcjN$ejZ+xSYgN$B>529^JYp_=3k}nWmX%j!btvu-}KJ
zU{UglXKK<Uh0YdIlNa!a(-M;P=Gdg@t1w^SGtCuawb3a@PU0nL2aUu|qe4m694Fy1
zzwtgGC+Lu&eA3WJl$>PdQ>&z4)k|XHyRT77aVN}MFKi-K_uAcEqd>g03Z>~DJ}1Th
z{j^JkA<@t4(n<0<Xc%D>0nVB!OB$ICxh1lqCi>NNO%}~nKj*dhwu1erzyD>#=-)HG
zRj&4xXjH5fHYSN(XO<$o8t4;~4Tk3*-i@5z`ok~Fyoi5MOX5n4V}hXo+*?7Zx43vC
z=;{tOBrR4(BEK4)6xysQ5DFU@y>;>rWAF&rcMnM4$*p76ZO*52h^M`BwWy9KO=73u
z6Cc|v>m&k~{x%_>IGS*jP?$z`?@6A=XeV0^w6lc*t<cuf>nI{+H+0yz63D(!=`IWA
z-~glYX|lwCUSU$YN4>ufDQGN9hli@QLRVRjGf?pzfmt5!cR}v>BmTT`dVSTCKx;UL
z7`dcUP%<M+)YN({7!Pg}=e12V((U5Y?(r8mO;*Qql?~-#r1B_w!^=LC*5+ZzJCl~?
zum2QU>+3#?u9i*y6j~@}`KnVUZ4IU6!;tl#wncvy-Oc03|H$X$dPkkcvgl$}***;U
zhphdpBfOD;yW(FJ{}mnL|LLhU|8KWx$)Da&4gZYr(@bcTKw2{j2lmikJSdvTWheaA
z8Yh@$0^gE4pp-JBjUU_Tqo9xh@fQfGM;T&=#9Xso$Tm@Qc3S6Wo6;;#KmT>zA?{TG
zzAT7MKBkuFQ$2G~larP`aU6_P?+mee9KO;XNRC)tNu;JKQMF90q$*P+lf6N}wQi>`
zdw??o;o$ocSVUklOyOghJK23p>X^F+x?A2Slm@utGbsaz8vG(EBs-?T-KJ^lAF)Iu
z=@HhtR=310p_wb5jSBMNVF1(G#A}nU;Vf!E!PhBMx!>5KelSNPQI%;e5Fuc(lLt+|
zr@`a~cdkH0B!|}WB*|Fdc*b>#?SK<dy{*@kojj^oQIC|bD!9F`3J#**vOqHNDi&dr
z*w7mD9aINnNZ1=gP)R03*At9{I`|#JT!07d8+ZagfZvWu@kumU*Ob}&H!nA}r76*!
zprP3$C}fvBgsAtu`xFB;v3fl;4`J59yl~n(_HeZ>D3t}1&%tyw10j$_%ej;Eo%7|}
zXNShunga@vCQx=>Ym|#3t`up#a;EylnIrhLrNc9Kx3Q>_b9Y<*N?qBqLsg4RQ{3&f
zLVXUDiDoVj0yG{34N7)mJ{LxH#G=&Pd~AH7`OtV}?!3g)oVYVar7By<lGYpB+S`<X
zwnF(ef#l8-^TKlEyQ-T>S*g5^uUTQHxKjC9Q`4an$OA$ZPQw83!ZJ7X@R5nA)KolX
zg<&i|9La|5ui4XFt`66qw2=>*PZC1xHDvdp?Pwxb!+06EGG$k>5}+o<gbuOLH1>>Q
zm+7eI{SA~pVl>@9I(v~s%<gXEw^&J~X(^0Gl^X;J2(MS?9fIpRI*^nuTVp~V@wkJR
z$F4rB3j-n#XUH2DzMW+6{>1eL$*nDOTS((8>tl_%$hg%=q#dlym||wq4u*5`l-sif
zgxox5<bt!?39|@xzxgNlMU6XHMMR1FQ-fom3DIem3kZ$o;)O-|xT~WhoKXW}q_V}K
zPRnGnx-^)|ix^ciNS2l@t<4p51ry&=NZhFxiXI|QS4bP!2-b~Uh%j+#S9{_QZKycU
zft$}^dzJiLWE4`d!=VzzwU7~z1E{fc2)V#05qo89iqi+3r)h2OW=^Ry_9IuU5BDq8
z63B^a$k$4$NJ+)=I8V?JSM?QC!_K01AHuO(3iNBGlMK{lD7VKNu()SVDS>;x64YRK
zm**VRWYVvr)n&qOjq9-n!U7_jsle1z4Ao)fWGxE~vV-fe6iw%WCg{U8RU@~OoVFzz
zGuJ(;sXKq0txokeVAfi@92`&%SOsK4a=qv$+Q(Q$cJ1$qBy`rZnF1_UaFQqjuA7T%
zXC<z&J1_{6&Y0(=z|NrN1fC~xWf5zSI&a-6IFAMn)NuBI-O<zrOhtR2yv}`mZDS^c
z{yxryEmJ#J_TxHx_)rOZaLYh~8LJRir#dztvQ(ce6vYNMu3}R|JO<q4)_^@GU+AVk
zCP(-~HED=$ZdZ@`fEVdbbqsiJZmm?+2tR3fE~U}Sg|ff4RKQK_-8SD;+M;7A=?Tl!
zbkaMIQ)|5b;La1?{ao`sn6vHpEQD%m#c&jF9jD6G_RoqOu>)8vVMmq&TvZj(9OXYn
z*G7b`vgrazU;9oLm+lo8SP<fP9SPr|<LYBcjT#zzzV~RoOSj2B2^qdw<szu;D)YpL
zo;nS)lAxrR7NbB>HYQA|BwE}wpw^!CSCiX)6)pnci8GHy3iDRCF+}=2z8vuVX2YR^
z_ykx1Xu^6_Eb%maR3z|HKOLd_*fpSj<465edjwuwST9pE#XlWcOmFh@kqX>g+UFt0
zZkyly$G8b^Smw=>SqI!&<Ld`woJ4I|ky1DtNKqD#`V_0cuKm4#VyS%wU#{|6O$x-U
zl*qXquK8k6OjD;oSPTxQua);yMvkz>{C#;x_v*%3cgyNKK&K~X%224=Bnqn@KkPQu
zL`h8TVCYE{1+-4C>K5~DVxwrT--T(7CY^JL!nm?~-h*;5;Iur<4$OUkzTZ(f$P;nO
zbP<lgiurC;dRk-NOUz4}#}H7Sl4k~pfSZV2NhB>)5=f|b2#6XCKKX1L9X=Uc7Zr~o
zO0i81Dl85}2o)aiZxai}vN|{(gEI*=0D&`8mxfqb(S!;H#6O`GKN}AUfvrw-NDU5=
z4f56ftd}k~2kt&ph$((O%#cr*r?S<T201$|aL$lF*gMu3UmtAf=xxK6#9}1xM8=w8
z%$4*$7YBEAUWJJVi3|!fRtBL@1!6HYp$=I@iZ42zcW)++4Bp0-cO;j`u!X6ZhqyOU
zz!wq^fo4e#-+(--fR~rEEHcCamCsi)T?7JY1pi%w3QKX;nLNzj{8vL0%c-i5e*_iG
zo%$e85~~Da2J7{Zt3BTvT5j$K-46blr9i&n&n)rNA!lVI&IRxdj@v;NkPJ@G8qQMA
z<Rq;`KgIH_lXMA6F#29m3@zM+G_WS+Tyv8YB^(R%&lZBlVe`@<ezt~O5IA#b5JVNE
z1vQz)h=ax~u^EY&<hkR!1U3Y_A-;({p&#fv7W#p%p>XIx6q;oR0webLBcXqxt3Ui7
z=*kkqJOK#Rgwa!)52u8Qvbbn&={*$!j*_9GyGI3x8vWz%g?k=7jg>GJtIE~>PoNNS
z0R99@$WNd|6(JB2c>0NwwMA~iyCQS3yP42DGGiqmh%v=IeMo?oHYIk-;p202OL#Qg
zyEh5`p)`3jVqjWG#(8{b?9GB_E0+7rcp1FURPjnUV)Y2IFM$4%Ng1>SFpWtWupM`@
zowSt*qK(`^A4brsI$|BY$DFYB^U%OVxu6Q#N#jUtd5PxG(55z0oVTTnw)$u4qa~fS
z`Yc=CP}W@_e3%VAjz+m3T6MfSjHWJ1_rnUA*F197*L**rKuQo@C*5&m{2uFN6TW`<
zY#}OaCkR&d7-d>NEz?4)x)(p=UNk_&J_ny%y@gm*z0jC95Wv35y-j_uE_^6Rt8DkU
zx}}Tw=wAb3#=cmp^*Ov*s`Sw?8f(wg52E=LNcCQS3079xEMGq@uo~MgXdd}R7P!3>
zz*~&nI{#AYZ(<4LcWdN(A4GUO@j7_q9ndNC(bDTn^>wE)%xmiJ%X=3x2+qqX$Z#~^
zn6RPfgO~-u4uc@UBO2zVLkV5f+D~-tK@MN0$5M*qH9vF*q>uN2;6~|_%}#8_0O;<g
z^SVeGEqM2ewFeB~&eR<0LXme)bi$p&JGe42Iy8JKbt=rbZ^GjuAB5@0lbeGd8Xe0`
z2SB@)gI_6;s*?x^7GdY@U?TRt$(cAB98q*xUbm%oW@Gqhc)T*Z;hV3jnp%p>la<>Y
zke-C8U&{B6&YH^^Vtx2R7_LQ(B{t4VpzG^AHf*Hmb=Dod$)=h{Ky?bgPr=}Ux=rwt
z8<cK@U+@kdP}8Uam{+ZKwxYB!90=rnUhT2?n?~kDz~PU%JcdSr={WONMC!EVqeV$f
z$O8{j;|KGA^uF+00r6`DXTJF0lmH7;Gg5wMZvU|xe7M~Wxr7uoHOlS@rg5RzTUzyh
z_g8I~=)hfB1H(k*yvvFjoj!x(`b{7WcodKGSHSggI~?1~`~Gegx_`XME^W~W|2o~%
zmjmP$fmV8T9>t}3d|+0=w9g6SB^>w*nal4In$P$U1fRK%lU-DaNhlIdKmRwT(pa$=
z{B>RoByzxr!<pXO<)jH)MVZ(3HMc9nyfO)GFu;9(AFuf!cP@`&Y8Bf<(+hm4iX!jb
zrr(TQmg#L#0@@<&;n4eWgzn;NyoO#c)G71z2ZfW?b|y{P%rq@koegBwf?H0I8)E(P
zaOi$38;usSRmw3|@23P&-*E+X?Pz$W$OIXbkK-p?ijtl|w@$<wB$_2YeM8);fWd!(
zikff#ZCglWP{MRxPXtnNUt>yESWLqWDsC-cMXIQpL-NX8&0?lOsn$5<4M!FK?pc*(
z?Q0=&M0e~AHv8Svwrx#LnMG8m-j#4nTeNIlk;6sZo5E=;?>r0+3ONW|mM(WR7Xg!C
z^K=cMTtayVa~x!d1;2Xh^AlCgQX#@>iPMF^3QyMTqC=3W{rVE`18q6>6QyG?s)mz_
zIZin?P<)pczU1u!iDlaQ5%vnr=SX&oKxQ_&k>PjoRP8Si25{He>=WCghTpDsU{WAo
z62_YbYsVkVu72aPF}ifFpO-OR?C4gSj~Tw|j}+Zh9?hrC(K?N%&0|cK+;f#!{0FD@
z;-}4EIuw(0l(YB4r_CBt(Wn7BFegk}Rl>ES1*(xc{{ID)U)>oVi7d00+2)ooSd|Lo
zDEQ_k0fv?1R(**i^D5XQPt0sBw)Ryk3^BwrMFjB|xiU^6Co^!@W<QTmtpd6XzJEwj
z40ube({00>(rE|&>PY>?0$2dv{FT{gh@kTB&z26bTq~eL$*>rk+LNtA4o^YO$As)7
zg9Wg*c0Xa1<i+HZru{iIlOi{+OqDOCn<A$n0AblG5Y%8$I~L=@uPp*=h;Y=1FTvhF
zIJcAlZ;acel13<zcNC3a+?<9){YxHW_~XZ_q)`HiNV5M~CI63A@Wy9CwV;to&D<#X
z<$C=D|5#=GV^y{=EEAQ3o_f&=LnPPpjU5$l$78|GBZO6^G=VYjAqp64!lpA(Ja92?
z>Qbq|O0<xN6&@a}UYPQM<TSb~Bjnw#-b{5lB*~0)Pyj<^uS5dq8^VMX7`;cNi0n(1
z=RkE&&$;s$lBNgun{V!yFW(n$o-Z8eWA(;XsqH85lgr?C%-RNoH|FE}hxhHdNoTN-
zqV1ER-Gy*#<LtY?v@4}_?WTzB4nucifBT5Ueq(Tp1BGoWH}m|lwFZR-nQ?j9qXrCx
z1tWZ>(8ERe^I;uKD3xTtC-Cf9`T_TkWA1dC`CzGk-TVff*Qy%w9Np)ReExS2`E`^2
z<Ct5Wqca7V!_s-uAIBI6d{q26Ci<V{e#JJ6+wm9n(U};%A?SS&_3~RlpON{KIJDcB
zCADnokK3L(^=)K%hyrIr)P6Dg4Vx6Bqmm1$&HBZ9Pzc2Cq$VdgasU+UrKcq9i-zHz
z*G92eOW>WTh`jTSp3@+CsXHtaRKw}orrV?ID)!{N*9rjl2(OEU%o}?;f7^npdXs0n
zC*(t8!sd?SB8o?-HJZSAXFQhu*l<{*Z;~@*swKSry15lhi;U7C(J@O^R{KZWr@`)J
zZMP0<;lRyB-0lUSt0rSW|Hlb?cFknC)W2XcryG7)R%m?i04gl-zbp%j<u8eK?;Zux
zIfj;6u>^&{{AduAYVukDnDh@gpz$o)?Fmi<cZ1mP!6o9M?}d3a%GX)>{g+!}%ireD
zS5KTP=37Pv+`NjFP5B@J>V1OrZ#R4<z7(>)Hu}woZnR@bzD>#`__WKqDpB}qnPN6Q
zyVuo7k2UG71Z<_GWrB3BO?0iOKwkn4llvO08!M`igJrYrY9Ll}{h~!Vu0k|(H&jul
zh8Bj>PYziCpjmE^Fj6lzPW~T{p^)wtudG7M09f`*tY|4EAVQJaHBwHeZkrTZuNW93
zgvsJ+u$$L}&mxNC?t#VjZQLvR$AGyXa*Vxq7(XBT9|NFB#qInFxR5Ot#*~1_@*s1l
zY=jnv?{7D4uGjW&`gLyBI_^Gj1Qu11T|Cf0j$F}zSdcm3pOMC`pQnRuDO=Dy%zGD(
z>oqnZ!q2o2zt1>zklDZBJw)`qx83a=^eAqI=%po3GJYLgh@TvmL5X5X7C4ILnKG6-
z@=ahav|HGtYk+4nMg_L3NuI<NJElzkj|OKm{w1lNXSV}V0-h<y$c>0|qU&>1Hg4Hv
zL^7|8If-F*yI$RAueIhv^Wg0YkBl{8ZT64;$!h+@AJz~SaH?=P{s*t&vAtR7x5Tb+
zrU+Su8l9Y!jGcGxm*xtQnp;L-{9V4gvgKoh(zf&-Cz@sdU=6h<;=O!Pjy3p3dIZvc
z`-Je8=j+5|<#V$7IBDZrv%~eNI3!(lbKlFy^-$w?(k99uOE~OKM;pwPl14s?tAq(~
z;jh#oa~*HIz>Zaqu^ziV*XtXGb@~3vi4E)i^ViGkko~6w&$1=Dt~GI-#Is1$KJ3br
zas_k4s5S4gRBK}}RM#Sre&Zx|tIxA8OS;YIh{~UeIF4m6p?h-g(1Jt@sGHi?__wj5
z2zh8W+o1+xAs483E_>lGjqNmf6)2%O0rcWMA-~AxC`5G;^WVh(=DKteinjBhg-ls5
zOMb}|)Cvd*3?y|86_co0rUceY`bXiQDmiLuXU#B_CwHc3x@96KJ`JHl4InorjFM}p
z?n8+`{GEeg0;$;Xzi_BNeN6vTX#pZ1RpR7?2N`%PI)j$emu0i8jbf~$!~^8!R}rL$
zv)A5j|FoG)v$kMji{bv^Ewb~y7xef!9e(z1$6>G|`Vp<-X_RXspW5@>7H3}#<3Mpu
z@P+UmBf0E9nVnycq>tnypt+JANvm61!^sK${TJpN--x~h8~-{#(ThA`@Sc0LQg85c
z=DeYuOGKDIb2Kb&C=8X5hgPIX)7Tb>FUgP(>zfJ!FUL=31`7{}+7=qVQaIQQA7GA-
z;>3WOPY4xH!w>x5R1;usF|!E}K2y5Y!cI8Zp&VRX6sbl{*#wG*IlkpwtG=@qFmlUV
z616*JY@c=KGrW`4Mbz|=$1Uu_hDDxA4Zk*>k%z(^JDp$&$K@p$HqT%snnL8k>=>q7
z4+p}tL->>jy5y7x{H6;bC$2!BL8XFV2u>IwFQ{Vj*2W<da`LXfG4|K3wol+4PDMxm
zYa^q6x1&$r#}HD1k_^|Mq(rfvorDKy*M_5^Q8R@5X~#o|j4H(z_W;ye_1<SLznkDg
zhya3=RZEvM*F^Sd4~01aEJ=bkV*5Fo(<}-<`MSI4IkTl*RO(+b7_xM2dXb{>LxrfZ
zK>xxa4)ZgaHGsm@VLd3Iatm)Vex-gtU!|n=kUPme>L@=FLn`whNYH91=0&X=(e0Rr
zkLt^DIej*=OZg5zCzFTHaJ1;HTkk(!$C5n>r?al4oMIQcLuv<xT*Y61r!KcL$zXxM
z_qJ~MFTYkYS3ZzB(%NJW3ue1r1%pH-xLoGE>C%728i`+Id*a5KHom$kaHhxEj^2b9
z_8OSn)Ob^Ue1CoRoF?QnXaPPB^SgC;eLr#h?T6Fh%Gr^pahCume)naayK%<qxV|8d
zS=hXFo`0RQ%s<f4?PwYkiZ!$4=(z4W*ui^S%3PW5)atAu^GfHCRm05VpLR91#psT4
z15PLr-TB;|doBQ<A-=;uB^~5RAjC6Jj5%4L!S6m6CNsZ=%|PLF*0`MLZc1+p=bOO6
z#eFtWvj?NRZlq=>ShpAS`t9g@|MS9=&y7sh4UG-S8L1FA&dva#K-+{_;DTd6n2FHL
z;%qv*>vqsCo)!da#3mgDi!m}ZVH@>o%;{YqSOcgBtHS{9_N;d_?~TG=?OfmfabAwS
zFw_EI(^M-)X(`aw%)!1k_zR7h5oz*_Kdahpt%}~aJC`-TXhc!h5S!8a^t58yzRHnI
zQATg2Ww6QLH^3eT9B0o?7Jg}hK346i<39bNrxwC!6_pA{l@;dpNQ9uL^ikMCa3FB_
zCLoFIJMdyuN8r$6RGycAJvwLAS29@-UHz6VJ<O4m0g9((;Q|q>iocePty1?HMUIFQ
z%rSQpeUcmK*kd`68R%cTzamXyI&}K-d)vYe%D%(1maXsprC|()qOrXt9-+mC-x5Oh
ztm%=)TMxJe(&sufGlr5Q6YgOA)F^;^!n1T2+b&6S(ypK$s0^I5jVms~&C(}ZgY;&G
zQPi!}#AlKHUHF909$!w_X9$Lv%h5WipFG56j7DHQn-JpUz|Y=GDME6r9D2F`Je<js
zM}`Htg~$=>Ik}T~LSV;lv7&qa_YMI16s>a*1i=^Sa_S@W0v0E*&@C#~!-?)aoHs@r
zF`_7UCq1~7xUbgYSX%)k$Hk%~^Ud7k@0qcU43I3T^McsJnc=lw#F;^|xk2$+zKw>O
zJ4f0ANqa9eVE;m2A8Lzc>}KrJcD$4n-ktAIyJdJZ&%K1{85hJK-_kS$qNT*T9=6w&
z!v3Pq$#zxq&#2{HMg%Sd{ai+63NoNbiN%Uq<et0_ep^@-IcuuL2@PjTAMUC`QYzJt
zC*reB#q&+eB1gF8_Gd(=Yf9&9*7<h0i%nk$4!9%^IE*tcKWCh-U)eu5f*Wa>7hV7t
zUbl!&JWA)#Hc%E-5BOCNdy=!SV&#l&8-DfEqIJ`vwEQQA#nZb78&S?YA<jHL5FEK=
z&LQ`gQ_ej8&OGiA9E=Un6fmWwzb&PSfh{8S(z_@BE^jhbITiAI=jI2j*J**5_J9|A
zN)%TL8P;j>oq^7&MM^v;OQ=GO=(YRJ!}Qnxyp&FsT!R?f=KxrYIcP{t;hm?{A;AYa
z0g_|`AJ<&gbe7|y)lfhGM!mUup`OIzt;CjURn_#>w|e=PN+OfTGfa|2MdRBK`^f{f
zSb9a$er#CcLiM|DrIE}!2c*v!v-0Q9_1x}B6jf4*Bj@QY2z^O;m&Djkh^lSu`A#RA
zc5zqPo4K(oMBWMp>+5d12-;Pc$7ic%=rN+xYnNwN&)1(7mJkpnXwKgER?H_i7&Zyr
zr1Jz92m_7<YOnwkle{8gk1#{amJWCYC)PbgMrD@znpCo;WLM~+ionSt--0;4v%+Z%
zX8V4{efdu@6(A5Y!2kQ}0zVa10Du5^|6G2K|Hrom<Rt%pCI7dYtbe-xR|y={|D{4p
VP7(z49}%FRGwA24#rMzM{|9j06I=iQ

literal 0
HcmV?d00001

diff --git a/Solutions/PaloAltoCDL/Package/createUiDefinition.json b/Solutions/PaloAltoCDL/Package/createUiDefinition.json
index 88db1a6526d..5a4f27d54d1 100644
--- a/Solutions/PaloAltoCDL/Package/createUiDefinition.json
+++ b/Solutions/PaloAltoCDL/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAltoCDL/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAltoCDL/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,44 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for PaloAltoCDL. You can get PaloAltoCDL CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for PaloAltoCDL. You can get PaloAltoCDL CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-parser-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -330,7 +292,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows critical event result This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows critical event result This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -344,7 +306,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows file permission with PUT or POST request This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows file permission with PUT or POST request This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -358,7 +320,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows destination ports by IP address. This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows destination ports by IP address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -372,7 +334,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows incomplete application protocol This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows incomplete application protocol This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -386,7 +348,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows multiple Deny results by user This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows multiple Deny results by user This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -400,7 +362,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows agents which are not updated to the latest version This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows agents which are not updated to the latest version This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -414,7 +376,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows outdated config vesions This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows outdated config vesions This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -428,7 +390,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows Rare application layer protocols This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows Rare application layer protocols This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -442,7 +404,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare files observed This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows rare files observed This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
@@ -456,7 +418,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare ports by user. This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)"
+                  "text": "Query shows rare ports by user. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
                 }
               }
             ]
diff --git a/Solutions/PaloAltoCDL/Package/mainTemplate.json b/Solutions/PaloAltoCDL/Package/mainTemplate.json
index c6b5685ee62..6e694a165ae 100644
--- a/Solutions/PaloAltoCDL/Package/mainTemplate.json
+++ b/Solutions/PaloAltoCDL/Package/mainTemplate.json
@@ -41,7 +41,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "PaloAltoCDL",
-    "_solutionVersion": "3.0.2",
+    "_solutionVersion": "3.0.3",
     "solutionId": "azuresentinel.azure-sentinel-solution-paloaltocdl",
     "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
@@ -108,93 +108,75 @@
       "_huntingQuerycontentId10": "ce9d58ce-51cd-11ec-bf63-0242ac130002",
       "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ce9d58ce-51cd-11ec-bf63-0242ac130002')))]"
     },
-    "uiConfigId1": "PaloAltoCDL",
-    "_uiConfigId1": "[variables('uiConfigId1')]",
-    "dataConnectorContentId1": "PaloAltoCDL",
-    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
-    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-    "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
-    "dataConnectorVersion1": "1.0.0",
-    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
-    "uiConfigId2": "PaloAltoCDLAma",
-    "_uiConfigId2": "[variables('uiConfigId2')]",
-    "dataConnectorContentId2": "PaloAltoCDLAma",
-    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
-    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-    "_dataConnectorId2": "[variables('dataConnectorId2')]",
-    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
-    "dataConnectorVersion2": "1.0.0",
-    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.2",
+      "analyticRuleVersion1": "1.0.3",
       "_analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '976d2eee-51cb-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('976d2eee-51cb-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','976d2eee-51cb-11ec-bf63-0242ac130002','-', '1.0.2')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','976d2eee-51cb-11ec-bf63-0242ac130002','-', '1.0.3')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.3",
+      "analyticRuleVersion2": "1.0.4",
       "_analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ba663b74-51f4-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ba663b74-51f4-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba663b74-51f4-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba663b74-51f4-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.2",
+      "analyticRuleVersion3": "1.0.3",
       "_analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9150ad68-51c8-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9150ad68-51c8-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9150ad68-51c8-11ec-bf63-0242ac130002','-', '1.0.2')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9150ad68-51c8-11ec-bf63-0242ac130002','-', '1.0.3')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "1.0.2",
+      "analyticRuleVersion4": "1.0.3",
       "_analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
       "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2dd2dac-51c9-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2dd2dac-51c9-11ec-bf63-0242ac130002','-', '1.0.2')))]"
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2dd2dac-51c9-11ec-bf63-0242ac130002','-', '1.0.3')))]"
     },
     "analyticRuleObject5": {
-      "analyticRuleVersion5": "1.0.3",
+      "analyticRuleVersion5": "1.0.4",
       "_analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002",
       "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6d54840-51d3-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6d54840-51d3-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6d54840-51d3-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6d54840-51d3-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject6": {
-      "analyticRuleVersion6": "1.0.3",
+      "analyticRuleVersion6": "1.0.4",
       "_analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002",
       "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'feb185cc-51f4-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('feb185cc-51f4-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','feb185cc-51f4-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','feb185cc-51f4-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject7": {
-      "analyticRuleVersion7": "1.0.3",
+      "analyticRuleVersion7": "1.0.4",
       "_analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002",
       "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3575a9c0-51c9-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3575a9c0-51c9-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3575a9c0-51c9-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3575a9c0-51c9-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject8": {
-      "analyticRuleVersion8": "1.0.3",
+      "analyticRuleVersion8": "1.0.4",
       "_analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002",
       "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '38f9e010-51ca-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('38f9e010-51ca-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','38f9e010-51ca-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','38f9e010-51ca-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject9": {
-      "analyticRuleVersion9": "1.0.3",
+      "analyticRuleVersion9": "1.0.4",
       "_analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002",
       "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f12e9d10-51ca-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f12e9d10-51ca-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f12e9d10-51ca-11ec-bf63-0242ac130002','-', '1.0.3')))]"
+      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f12e9d10-51ca-11ec-bf63-0242ac130002','-', '1.0.4')))]"
     },
     "analyticRuleObject10": {
-      "analyticRuleVersion10": "1.0.3",
+      "analyticRuleVersion10": "1.0.4",
       "_analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003",
       "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9fcc7734-4d1b-11ec-81d3-0242ac130003')]",
       "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9fcc7734-4d1b-11ec-81d3-0242ac130003')))]",
-      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9fcc7734-4d1b-11ec-81d3-0242ac130003','-', '1.0.3')))]"
+      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9fcc7734-4d1b-11ec-81d3-0242ac130003','-', '1.0.4')))]"
     },
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
@@ -208,7 +190,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDL Workbook with template version 3.0.2",
+        "description": "PaloAltoCDL Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -271,6 +253,10 @@
                     {
                       "contentId": "PaloAltoCDLAma",
                       "kind": "DataConnector"
+                    },
+                    {
+                      "contentId": "CefAma",
+                      "kind": "DataConnector"
                     }
                   ]
                 }
@@ -300,7 +286,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLEvent Data Parser with template version 3.0.2",
+        "description": "PaloAltoCDLEvent Data Parser with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -314,7 +300,7 @@
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "PaloAltoCDLEvent",
+                "displayName": "Parser for PaloAltoCDLEvent",
                 "category": "Microsoft Sentinel Parser",
                 "functionAlias": "PaloAltoCDLEvent",
                 "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| parse-kv AdditionalExtensions as (PanOSConfigVersion:string, start:datetime, PanOSBytes:int, PanOSSessionStartTime:datetime, PanOSSourceLocation:string, PanOSDestinationLocation:string, PanOSPacketsSent:int, PanOSPacketsReceived:int, PanOSDGHierarchyLevel1:string, PanOSDGHierarchyLevel2:string, PanOSDGHierarchyLevel3:string, PanOSDGHierarchyLevel4:string, PanOSVirtualSystemName:string, PanOSSourceUUID:string, PanOSDestinationUUID:string, PanOSIMSI:string, PanOSIMEI:string, PanOSParentSessionID:string, PanOSParentStarttime:datetime, PanOSTunnel:string, PanOSEndpointAssociationID:string, PanOSChunksTotal:int, PanOSChunksSent:int, PanOSChunksReceived:int, PanOSRuleUUID:string, PanOSHTTP2Connection:string, PanOSLinkChangeCount:int, PanOSSDWANPolicyName:string, PanOSLinkSwitches:string, PanOSSDWANCluster:string, PanOSSDWANDeviceType:string, PanOSSDWANClusterType:string, PanOSSDWANSite:string, PanOSDynamicUserGroupName:string, [\"PanOSX-Forwarded-ForIP\"]:string, PanOSSourceDeviceCategory:string, PanOSSourceDeviceProfile:string, PanOSSourceDeviceModel:string, PanOSSourceDeviceVendor:string, PanOSSourceDeviceOSFamily:string, PanOSSourceDeviceOSVersion:string, PanOSSourceDeviceHost:string, PanOSSourceDeviceMac:string, PanOSDestinationDeviceCategory:string, PanOSDestinationDeviceProfile:string, PanOSDestinationDeviceModel:string, PanOSDestinationDeviceVendor:string, PanOSDestinationDeviceOSFamily:string, PanOSDestinationDeviceOSVersion:string, PanOSDestinationDeviceHost:string, PanOSDestinationDeviceMac:string, PanOSContainerID:string, PanOSContainerNameSpace:string, PanOSContainerName:string, PanOSSourceEDL:string, PanOSDestinationEDL:string, PanOSGPHostID:string, PanOSEndpointSerialNumber:string, PanOSSourceDynamicAddressGroup:string, PanOSDestinationDynamicAddressGroup:string, PanOSHASessionOwner:string, PanOSTimeGeneratedHighResolution:string, PanOSNSSAINetworkSliceType:string, PanOSNSSAINetworkSliceDifferentiator:string, PanOSURLCounter:string, [\"PanOSX-Forwarded-For\"]:string, PanOSReferer:string, PanOSInlineMLVerdict:string, PanOSContentVersion:string, PanOSSigFlags:string, PanOSHTTPHeaders:string, PanOSURLCategoryList:string, PanOSHostID:string, PanOSThreatID:string, PanOSFileHash:string, PanOSApplianceOrCloud:string, PanOSFileType:string, PanOSSenderEmail:string, PanOSEmailSubject:string, PanOSRecipientEmail:string, PanOSReportID:string, PanOSThreatCategory:string, PanOSDomainEDL:string, PanOSPartialHash:string, PanOSTunnelEventType:string, PanOSMobileSubscriberISDN:string, PanOSAccessPointName:string, PanOSRadioAccessTechnology:string, PanOSTunnelMessageType:string, PanOSMobileIP:string, PanOSTunnelEndpointID1:string, PanOSTunnelEndpointID2:string, PanOSTunnelInterface:string, PanOSTunnelCauseCode:string, PanOSMobileCountryCode:string, PanOSMobileNetworkCode:string, PanOSMobileAreaCode:string, PanOSMobileBaseStationCode:string, PanOSTunnelEventCode:string, PanOSPacketsDroppedMax:string, PanOSPacketsDroppedTunnel:string, PanOSTunnelInspectionRule:string, PanOSTunnelRemoteUserIP:string, PanOSTunnelRemoteIMSIID:string, PanOSProtocolDataUnitsessionID:string, end:string, PanOSUGFlags:string, PanOSUserIdentifiedBySource:string, PanOSTag:string, PanOSEventTime:datetime, PanOSDeviceGroup:string, PanOSTemplate:string, PanOSSourceUser:string, PanOSHipMatchType:string, PanOSSource:string, PanOSTimestampDeviceIdentification:string, deviceExternalID:string, PanOSVirtualSystem:string, Name:string, PanOSStage:string, PanOSAuthMethod:string, PanOSTunnelType:string, PanOSSourceRegion:string, PanOSPrivateIPv4:string, PanOSPrivateIPv6:string, PanOSEndpointSN:string, PanOSGlobalProtectClientVersion:string, PanOSEndpointOSType:string, PanOSEndpointOSVersion:string, PanOSCountOfRepeats:string, PanOSQuarantineReason:string, PanOSConnectionError:string, PanOSDescription:string, PanOSGlobalProtectGatewayLocation:string, PanOSLoginDuration:string, PanOSConnectionMethod:string, PanOSConnectionErrorID:string, PanOSPortal:string, PanOSSequenceNo:string, PanOSGatewaySelectionType:string, PanOSSSLResponseTime:string, PanOSGatewayPriority:string, PanOSAttemptedGateways:string, PanOSGateway:string, PanOSVirtualSystemID:string, startTime:datetime, PanOSRecordType:string, PanOSCloudDNSClientIP:string, PanOSDNSResolverIP:string, PanOSDNSCategory:string, DestinationDNSDomain:string, suser0:string, duser0:string) with (pair_delimiter=';', kv_delimiter='=', quote=\"'\")\n| extend DvcIpAddr = iff(DeviceCustomIPv6Address1Label == \"Device IPv6 Address\", DeviceCustomIPv6Address1, \"\")\n         , DstIpAddr = iff(DeviceCustomIPv6Address3Label == \"Destination IPv6 Address\", DeviceCustomIPv6Address3, \"\")\n         , SrcIpAddr = iff(DeviceCustomIPv6Address2Label == \"Source IPv6 Address\", DeviceCustomIPv6Address2, \"\")\n         , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n         , SrcZone = iff(DeviceCustomString4Label == \"FromZone\", DeviceCustomString4, \"\") \n         , DstZone = iff(DeviceCustomString5Label == \"Zone\", DeviceCustomString5, \"\") \n         , NetworkPackets = iff(DeviceCustomNumber2Label == \"PacketsTotal\", DeviceCustomNumber2, int(null))\n         , NetworkDuration = iff(DeviceCustomNumber3Label == \"SessionDuration\", DeviceCustomNumber3, int(null))\n         , NetworkSessionId =  iff(DeviceCustomNumber1Label == \"SessionID\", DeviceCustomNumber1, int(null))\n         , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n         , todatetime(column_ifexists(\"start\",\"\")))\n         , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n         , todatetime(column_ifexists(\"end\",\"\")))\n         , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n                , DvcId = DeviceExternalID\n                , DvcHostname = DeviceName\n                , DstNatPortNumber = DestinationTranslatedPort\n                , DstHostname = DestinationHostName\n                , SrcNatPortNumber = SourceTranslatedPort\n                , SrcFileName = FileName\n                , SrcFilePath = FilePath\n                , EventMessage = Message\n                , EventSeverity = LogSeverity\n                , EventResult = Activity\n                , DstPortNumber = DestinationPort\n                , DstUserId = DestinationUserID\n                , EventResourceId = DeviceEventClassID\n                , HttpRequestMethod = RequestMethod\n                , Url = RequestURL\n                , HttpContentFormat = RequestContext\n                , SrcHostname = SourceHostName\n                , DvcAction = DeviceAction\n                , DstDomain = DestinationNTDomain\n                , SrcPortNumber = SourcePort\n                , DvcInboundInterface = DeviceInboundInterface\n                , DvcOutboundInterface = DeviceOutboundInterface\n                , NetworkProtocol = Protocol\n                , NetworkApplicationProtocol = ApplicationProtocol\n                , SrcDomain = SourceNTDomain\n                , SrcUserId = SourceUserID\n                , DstBytes = ReceivedBytes\n                , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n                            pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n                            pack_array(DestinationTranslatedAddress, DestinationIP))\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n                             pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n                             pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime, Type, StartTime, EndTime, DeviceVendor, DeviceProduct, duser0, DestinationUserName, suser0, SourceUserName, AdditionalExtensions, DestinationTranslatedAddress, DestinationIP,SourceTranslatedAddress, SourceIP, DeviceCustom*, FlexString*\n              \n",
@@ -366,7 +352,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('parserObject1').parserContentId1]",
         "contentKind": "Parser",
-        "displayName": "PaloAltoCDLEvent",
+        "displayName": "Parser for PaloAltoCDLEvent",
         "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]",
         "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]",
         "version": "[variables('parserObject1').parserVersion1]"
@@ -379,7 +365,7 @@
       "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
-        "displayName": "PaloAltoCDLEvent",
+        "displayName": "Parser for PaloAltoCDLEvent",
         "category": "Microsoft Sentinel Parser",
         "functionAlias": "PaloAltoCDLEvent",
         "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| parse-kv AdditionalExtensions as (PanOSConfigVersion:string, start:datetime, PanOSBytes:int, PanOSSessionStartTime:datetime, PanOSSourceLocation:string, PanOSDestinationLocation:string, PanOSPacketsSent:int, PanOSPacketsReceived:int, PanOSDGHierarchyLevel1:string, PanOSDGHierarchyLevel2:string, PanOSDGHierarchyLevel3:string, PanOSDGHierarchyLevel4:string, PanOSVirtualSystemName:string, PanOSSourceUUID:string, PanOSDestinationUUID:string, PanOSIMSI:string, PanOSIMEI:string, PanOSParentSessionID:string, PanOSParentStarttime:datetime, PanOSTunnel:string, PanOSEndpointAssociationID:string, PanOSChunksTotal:int, PanOSChunksSent:int, PanOSChunksReceived:int, PanOSRuleUUID:string, PanOSHTTP2Connection:string, PanOSLinkChangeCount:int, PanOSSDWANPolicyName:string, PanOSLinkSwitches:string, PanOSSDWANCluster:string, PanOSSDWANDeviceType:string, PanOSSDWANClusterType:string, PanOSSDWANSite:string, PanOSDynamicUserGroupName:string, [\"PanOSX-Forwarded-ForIP\"]:string, PanOSSourceDeviceCategory:string, PanOSSourceDeviceProfile:string, PanOSSourceDeviceModel:string, PanOSSourceDeviceVendor:string, PanOSSourceDeviceOSFamily:string, PanOSSourceDeviceOSVersion:string, PanOSSourceDeviceHost:string, PanOSSourceDeviceMac:string, PanOSDestinationDeviceCategory:string, PanOSDestinationDeviceProfile:string, PanOSDestinationDeviceModel:string, PanOSDestinationDeviceVendor:string, PanOSDestinationDeviceOSFamily:string, PanOSDestinationDeviceOSVersion:string, PanOSDestinationDeviceHost:string, PanOSDestinationDeviceMac:string, PanOSContainerID:string, PanOSContainerNameSpace:string, PanOSContainerName:string, PanOSSourceEDL:string, PanOSDestinationEDL:string, PanOSGPHostID:string, PanOSEndpointSerialNumber:string, PanOSSourceDynamicAddressGroup:string, PanOSDestinationDynamicAddressGroup:string, PanOSHASessionOwner:string, PanOSTimeGeneratedHighResolution:string, PanOSNSSAINetworkSliceType:string, PanOSNSSAINetworkSliceDifferentiator:string, PanOSURLCounter:string, [\"PanOSX-Forwarded-For\"]:string, PanOSReferer:string, PanOSInlineMLVerdict:string, PanOSContentVersion:string, PanOSSigFlags:string, PanOSHTTPHeaders:string, PanOSURLCategoryList:string, PanOSHostID:string, PanOSThreatID:string, PanOSFileHash:string, PanOSApplianceOrCloud:string, PanOSFileType:string, PanOSSenderEmail:string, PanOSEmailSubject:string, PanOSRecipientEmail:string, PanOSReportID:string, PanOSThreatCategory:string, PanOSDomainEDL:string, PanOSPartialHash:string, PanOSTunnelEventType:string, PanOSMobileSubscriberISDN:string, PanOSAccessPointName:string, PanOSRadioAccessTechnology:string, PanOSTunnelMessageType:string, PanOSMobileIP:string, PanOSTunnelEndpointID1:string, PanOSTunnelEndpointID2:string, PanOSTunnelInterface:string, PanOSTunnelCauseCode:string, PanOSMobileCountryCode:string, PanOSMobileNetworkCode:string, PanOSMobileAreaCode:string, PanOSMobileBaseStationCode:string, PanOSTunnelEventCode:string, PanOSPacketsDroppedMax:string, PanOSPacketsDroppedTunnel:string, PanOSTunnelInspectionRule:string, PanOSTunnelRemoteUserIP:string, PanOSTunnelRemoteIMSIID:string, PanOSProtocolDataUnitsessionID:string, end:string, PanOSUGFlags:string, PanOSUserIdentifiedBySource:string, PanOSTag:string, PanOSEventTime:datetime, PanOSDeviceGroup:string, PanOSTemplate:string, PanOSSourceUser:string, PanOSHipMatchType:string, PanOSSource:string, PanOSTimestampDeviceIdentification:string, deviceExternalID:string, PanOSVirtualSystem:string, Name:string, PanOSStage:string, PanOSAuthMethod:string, PanOSTunnelType:string, PanOSSourceRegion:string, PanOSPrivateIPv4:string, PanOSPrivateIPv6:string, PanOSEndpointSN:string, PanOSGlobalProtectClientVersion:string, PanOSEndpointOSType:string, PanOSEndpointOSVersion:string, PanOSCountOfRepeats:string, PanOSQuarantineReason:string, PanOSConnectionError:string, PanOSDescription:string, PanOSGlobalProtectGatewayLocation:string, PanOSLoginDuration:string, PanOSConnectionMethod:string, PanOSConnectionErrorID:string, PanOSPortal:string, PanOSSequenceNo:string, PanOSGatewaySelectionType:string, PanOSSSLResponseTime:string, PanOSGatewayPriority:string, PanOSAttemptedGateways:string, PanOSGateway:string, PanOSVirtualSystemID:string, startTime:datetime, PanOSRecordType:string, PanOSCloudDNSClientIP:string, PanOSDNSResolverIP:string, PanOSDNSCategory:string, DestinationDNSDomain:string, suser0:string, duser0:string) with (pair_delimiter=';', kv_delimiter='=', quote=\"'\")\n| extend DvcIpAddr = iff(DeviceCustomIPv6Address1Label == \"Device IPv6 Address\", DeviceCustomIPv6Address1, \"\")\n         , DstIpAddr = iff(DeviceCustomIPv6Address3Label == \"Destination IPv6 Address\", DeviceCustomIPv6Address3, \"\")\n         , SrcIpAddr = iff(DeviceCustomIPv6Address2Label == \"Source IPv6 Address\", DeviceCustomIPv6Address2, \"\")\n         , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n         , SrcZone = iff(DeviceCustomString4Label == \"FromZone\", DeviceCustomString4, \"\") \n         , DstZone = iff(DeviceCustomString5Label == \"Zone\", DeviceCustomString5, \"\") \n         , NetworkPackets = iff(DeviceCustomNumber2Label == \"PacketsTotal\", DeviceCustomNumber2, int(null))\n         , NetworkDuration = iff(DeviceCustomNumber3Label == \"SessionDuration\", DeviceCustomNumber3, int(null))\n         , NetworkSessionId =  iff(DeviceCustomNumber1Label == \"SessionID\", DeviceCustomNumber1, int(null))\n         , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n         , todatetime(column_ifexists(\"start\",\"\")))\n         , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n         , todatetime(column_ifexists(\"end\",\"\")))\n         , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n                , DvcId = DeviceExternalID\n                , DvcHostname = DeviceName\n                , DstNatPortNumber = DestinationTranslatedPort\n                , DstHostname = DestinationHostName\n                , SrcNatPortNumber = SourceTranslatedPort\n                , SrcFileName = FileName\n                , SrcFilePath = FilePath\n                , EventMessage = Message\n                , EventSeverity = LogSeverity\n                , EventResult = Activity\n                , DstPortNumber = DestinationPort\n                , DstUserId = DestinationUserID\n                , EventResourceId = DeviceEventClassID\n                , HttpRequestMethod = RequestMethod\n                , Url = RequestURL\n                , HttpContentFormat = RequestContext\n                , SrcHostname = SourceHostName\n                , DvcAction = DeviceAction\n                , DstDomain = DestinationNTDomain\n                , SrcPortNumber = SourcePort\n                , DvcInboundInterface = DeviceInboundInterface\n                , DvcOutboundInterface = DeviceOutboundInterface\n                , NetworkProtocol = Protocol\n                , NetworkApplicationProtocol = ApplicationProtocol\n                , SrcDomain = SourceNTDomain\n                , SrcUserId = SourceUserID\n                , DstBytes = ReceivedBytes\n                , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n                            pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n                            pack_array(DestinationTranslatedAddress, DestinationIP))\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n                             pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n                             pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime, Type, StartTime, EndTime, DeviceVendor, DeviceProduct, duser0, DestinationUserName, suser0, SourceUserName, AdditionalExtensions, DestinationTranslatedAddress, DestinationIP,SourceTranslatedAddress, SourceIP, DeviceCustom*, FlexString*\n              \n",
@@ -432,7 +418,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -517,7 +503,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -602,7 +588,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -687,7 +673,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -772,7 +758,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -857,7 +843,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -942,7 +928,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1027,7 +1013,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1112,7 +1098,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1197,7 +1183,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 3.0.2",
+        "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1273,672 +1259,6 @@
         "version": "1.0.0"
       }
     },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PaloAltoCDL data connector with template version 3.0.2",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId1')]",
-                  "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
-                  "publisher": "Palo Alto Networks",
-                  "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.",
-                  "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "PaloAltoNetworksCDL",
-                      "baseQuery": "PaloAltoCDLEvent"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Destinations",
-                      "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
-                      "lastDataReceivedQuery": "PaloAltoCDLEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "PaloAltoCDLEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(1d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "write": true,
-                          "read": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
-                    },
-                    {
-                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-                      "innerSteps": [
-                        {
-                          "title": "1.1 Select or create a Linux machine",
-                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                        },
-                        {
-                          "title": "1.2 Install the CEF collector on the Linux machine",
-                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                          "instructions": [
-                            {
-                              "parameters": {
-                                "fillWith": [
-                                  "WorkspaceId",
-                                  "PrimaryKey"
-                                ],
-                                "label": "Run the following command to install and apply the CEF collector:",
-                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                              },
-                              "type": "CopyableLabel"
-                            }
-                          ]
-                        }
-                      ],
-                      "title": "1. Linux Syslog agent configuration"
-                    },
-                    {
-                      "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.",
-                      "title": "2.  Configure Cortex Data Lake to forward logs to a Syslog Server using CEF"
-                    },
-                    {
-                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "fillWith": [
-                              "WorkspaceId"
-                            ],
-                            "label": "Run the following command to validate your connectivity:",
-                            "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                          },
-                          "type": "CopyableLabel"
-                        }
-                      ],
-                      "title": "3. Validate connection"
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
-                    }
-                  ]
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-                "contentId": "[variables('_dataConnectorContentId1')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PaloAltoCDL",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
-        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
-        "id": "[variables('_dataConnectorcontentProductId1')]",
-        "version": "[variables('dataConnectorVersion1')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId1')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PaloAltoCDL",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
-          "publisher": "Palo Alto Networks",
-          "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "PaloAltoNetworksCDL",
-              "baseQuery": "PaloAltoCDLEvent"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
-              "lastDataReceivedQuery": "PaloAltoCDLEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "PaloAltoCDLEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(1d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "Top 10 Destinations",
-              "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "write": true,
-                  "read": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
-            },
-            {
-              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-              "innerSteps": [
-                {
-                  "title": "1.1 Select or create a Linux machine",
-                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                },
-                {
-                  "title": "1.2 Install the CEF collector on the Linux machine",
-                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                  "instructions": [
-                    {
-                      "parameters": {
-                        "fillWith": [
-                          "WorkspaceId",
-                          "PrimaryKey"
-                        ],
-                        "label": "Run the following command to install and apply the CEF collector:",
-                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                      },
-                      "type": "CopyableLabel"
-                    }
-                  ]
-                }
-              ],
-              "title": "1. Linux Syslog agent configuration"
-            },
-            {
-              "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.",
-              "title": "2.  Configure Cortex Data Lake to forward logs to a Syslog Server using CEF"
-            },
-            {
-              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-              "instructions": [
-                {
-                  "parameters": {
-                    "fillWith": [
-                      "WorkspaceId"
-                    ],
-                    "label": "Run the following command to validate your connectivity:",
-                    "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                  },
-                  "type": "CopyableLabel"
-                }
-              ],
-              "title": "3. Validate connection"
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId1')]",
-          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PaloAltoCDL data connector with template version 3.0.2",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion2')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId2')]",
-                  "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA",
-                  "publisher": "Palo Alto Networks",
-                  "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.",
-                  "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "PaloAltoNetworksCDL",
-                      "baseQuery": "CommonSecurityLog\n |where  DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Destinations",
-                      "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
-                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "write": true,
-                          "read": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ],
-                    "customs": [
-                      {
-                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-                      },
-                      {
-                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "title": "1. Kindly follow the steps to configure the data connector",
-                            "instructionSteps": [
-                              {
-                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                              },
-                              {
-                                "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF",
-                                "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server."
-                              },
-                              {
-                                "title": "Step C. Validate connection",
-                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                                "instructions": [
-                                  {
-                                    "parameters": {
-                                      "label": "Run the following command to validate your connectivity:",
-                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                                    },
-                                    "type": "CopyableLabel"
-                                  }
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "InstructionStepsGroup"
-                        }
-                      ]
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "2. Secure your machine "
-                    }
-                  ]
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-                "contentId": "[variables('_dataConnectorContentId2')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PaloAltoCDL",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA",
-        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
-        "id": "[variables('_dataConnectorcontentProductId2')]",
-        "version": "[variables('dataConnectorVersion2')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId2')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion2')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PaloAltoCDL",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA",
-          "publisher": "Palo Alto Networks",
-          "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "PaloAltoNetworksCDL",
-              "baseQuery": "CommonSecurityLog\n |where  DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
-              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "Top 10 Destinations",
-              "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "write": true,
-                  "read": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ],
-            "customs": [
-              {
-                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-              },
-              {
-                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
-              "instructions": [
-                {
-                  "parameters": {
-                    "title": "1. Kindly follow the steps to configure the data connector",
-                    "instructionSteps": [
-                      {
-                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                      },
-                      {
-                        "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF",
-                        "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server."
-                      },
-                      {
-                        "title": "Step C. Validate connection",
-                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                        "instructions": [
-                          {
-                            "parameters": {
-                              "label": "Run the following command to validate your connectivity:",
-                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                            },
-                            "type": "CopyableLabel"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "type": "InstructionStepsGroup"
-                }
-              ]
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "2. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId2')]",
-          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
-        }
-      }
-    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -1948,7 +1268,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1975,18 +1295,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2003,22 +1311,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2074,7 +1382,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2101,18 +1409,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2129,22 +1425,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2200,7 +1496,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2227,18 +1523,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2255,22 +1539,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "File",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "FileCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "File"
                   }
                 ]
               }
@@ -2326,7 +1610,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2353,18 +1637,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2381,13 +1653,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2443,7 +1715,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2470,18 +1742,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2498,31 +1758,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
                         "identifier": "Url",
                         "columnName": "UrlCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -2578,7 +1838,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2605,18 +1865,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2633,22 +1881,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2704,7 +1952,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2731,18 +1979,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2758,13 +1994,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2820,7 +2056,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2847,18 +2083,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2875,13 +2099,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -2937,7 +2161,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2964,18 +2188,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -2992,13 +2204,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "File",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "FileCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "File"
                   }
                 ]
               }
@@ -3054,7 +2266,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 3.0.2",
+        "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -3081,18 +2293,6 @@
                 "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
-                  {
-                    "connectorId": "PaloAltoCDL",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
-                  {
-                    "connectorId": "PaloAltoCDLAma",
-                    "dataTypes": [
-                      "PaloAltoCDLEvent"
-                    ]
-                  },
                   {
                     "connectorId": "CefAma",
                     "dataTypes": [
@@ -3109,22 +2309,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IPCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -3176,12 +2376,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.2",
+        "version": "3.0.3",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "PaloAltoCDL",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.paloaltonetworks.com/cortex/cortex-data-lake\">Palo Alto Networks CDL</a> solution provides the capability to ingest <a href=\"https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview\">CDL logs</a> into Microsoft Sentinel.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.paloaltonetworks.com/cortex/cortex-data-lake\">Palo Alto Networks CDL</a> solution provides the capability to ingest <a href=\"https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview\">CDL logs</a> into Microsoft Sentinel.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connector:</strong> 1,<strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -3265,16 +2465,6 @@
               "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
               "version": "[variables('huntingQueryObject10').huntingQueryVersion10]"
             },
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId1')]",
-              "version": "[variables('dataConnectorVersion1')]"
-            },
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId2')]",
-              "version": "[variables('dataConnectorVersion2')]"
-            },
             {
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
diff --git a/Solutions/PaloAltoCDL/ReleaseNotes.md b/Solutions/PaloAltoCDL/ReleaseNotes.md
index 117fa0ff7ed..d96f8218854 100644
--- a/Solutions/PaloAltoCDL/ReleaseNotes.md
+++ b/Solutions/PaloAltoCDL/ReleaseNotes.md
@@ -1,7 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.2 	  | 12-07-2024 					   | Deprecated **Data Connector** 										|
+| 3.0.3       | 12-11-2024                     | Removed Deprecated **Data Connector**                              |
+| 3.0.2       | 12-07-2024                     | Deprecated **Data Connector**                                      |
 | 3.0.1       | 12-06-2024                     | Optimized parser                                                   |
-| 3.0.0       | 25-09-2023                     | Addition of new PaloAltoCDL AMA **Data Connector**              	| 	                                                            |  
-         
-                                                                                                                 
+| 3.0.0       | 25-09-2023                     | Addition of new PaloAltoCDL AMA **Data Connector**                 |
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 8da138881c4..2f41145c5b5 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -2903,8 +2903,7 @@
             "CommonSecurityLog"
         ],
         "dataConnectorsDependencies": [
-            "PaloAltoCDL",
-			"PaloAltoCDLAma"
+            "CefAma"
         ],
         "previewImagesFileNames": [
             "PaloAltoBlack.png",

From f080b633f3aa9f53b162deaff23db075eb5bd244 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Wed, 13 Nov 2024 10:51:15 +0530
Subject: [PATCH 2/4] Repackage - Akamai Security Events

---
 .../Data/Solution_Akamai.json                 |   6 +-
 .../Akamai Security Events/Package/3.0.2.zip  | Bin 0 -> 4922 bytes
 .../Package/createUiDefinition.json           |  36 +-
 .../Package/mainTemplate.json                 | 702 +-----------------
 .../Akamai Security Events/ReleaseNotes.md    |   5 +-
 5 files changed, 10 insertions(+), 739 deletions(-)
 create mode 100644 Solutions/Akamai Security Events/Package/3.0.2.zip

diff --git a/Solutions/Akamai Security Events/Data/Solution_Akamai.json b/Solutions/Akamai Security Events/Data/Solution_Akamai.json
index f162224ef00..6ffdae2f887 100644
--- a/Solutions/Akamai Security Events/Data/Solution_Akamai.json	
+++ b/Solutions/Akamai Security Events/Data/Solution_Akamai.json	
@@ -3,10 +3,6 @@
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\">",
   "Description": "The Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
-  "Data Connectors": [
-    "Data Connectors/Connector_CEF_Akamai.json",
-	"Data Connectors/template_AkamaiSecurityEventsAMA.json"
-  ],
   "Parsers": [
 	"Parsers/AkamaiSIEMEvent.yaml"
   ],
@@ -15,7 +11,7 @@
     ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Akamai Security Events",
-  "Version": "3.0.1",
+  "Version": "3.0.2",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
\ No newline at end of file
diff --git a/Solutions/Akamai Security Events/Package/3.0.2.zip b/Solutions/Akamai Security Events/Package/3.0.2.zip
new file mode 100644
index 0000000000000000000000000000000000000000..9d6047479aae78268e72279acc4a67679dff8ade
GIT binary patch
literal 4922
zcmZ`-bx;(Jx?M`T5u`h$1?leY7FIe|VCn9qkuH&D$)#cGR65s18tFz-T1345-kW*z
zX70V;_s2Kqt3S`oIl3BX=wtu@01Hr=<YMM8mu+K)0RWug0{|3%ySAS8*539;AVqrz
z5E$eQas%_e^Kt{1o1BBc2^0O1wmNr53Y!X(EsqPkU@hP)=lWu#x2iVZMivmZcxQL&
zLY4K6XX`%|+NZR!FQ<{%zw}K2qoFFWq}(0&^>^E@hdoisUX*JK=fF3~AW5&vr3<w4
z3Pc?-CizDPhE9Ox{MvTwg-1u+(#bl>>e1%OH`khsg7?SoD?9cvL@daE*t6n=6^!<S
z%z}v(5eqTTVY2qFz)M9no<+7oi8U$wx(o6wHYH<!t6C}Ek2YddBuw#lzVC%e&1wVM
zz7_M-Z(R6kmbY{|$lJ~p)aLBRpW)6rB#7(vysq1$_b-ev9?!6kO}6pL_khEUvy_#{
zla$76c9=k+DfOTX3XTeNaxt;q)Q@upzN4Naw!PEYa?=KI#@>w(^FG$oF?iBZwhZrk
z`&S<yneYp>*)G%>X0dP<t3IjnQ%ALu$uIPbSw%a;i2O_NNe9lBym*xC2SqVzj?ZQO
zK)7NzHi^hhmJZu0u3ZmHU6_I;xl4&cTo&sDqzbz4`@}y2ZS`M*&yKEwHT<qyT6d;~
z0>s<2BW}JsMD7M7&R!Cju0C((4R;3K^fIn)Tj=;WuLU&}cr#1JkYrga%24-5$2ngV
zD(Rjv=bWQam^X|uI-#P_D_6$pnjk$WBx%Ai%(3UnI2BIO_o&EIKu1c(i$1H(16d}R
z<zT)f6xwiIP|>pB#{;|1D7atBCO$@7oIEb)Oc^*~uEO8?y|qy1)PuQnAcr(meWHrb
z$uzk2Yw{OTC{K8oa4s6nm#-Wf_we>Vcm)|+$+vNDWB<q^*H#_V92LIO?lCa(V&ukM
ziL%1cM0?)V<dj>ImxSfjTfvk4LFAy#)b|G$izY0hJdnYy^=3`-3M|aKWv>0Q%w7CW
zh#!h=K0dLeI;H@L%QP5OxAq~-81I?bJl?_5c3|Ha%23-ua#d6*I33S6t(jRc7+~x+
z8?+TwOCh=!j^kxwWUMSFQQpvYt$J`}jf=(wYU!BNgf1T6D2TIQH0xvc>3dGjR&4M-
zkRZ?Z`CvG-V-L;L^b*E*b<)0R@f6W*)4Dp&uru#*lDXNh=0yUz4Exp4cfaD=A`-GP
z{pd+6)~86>J1df_Bl|W_!9Pj}Kc-?!U{Or7WD5+^(JlQLHK^v4Fb>^^vF4bN$R(wg
zpn$FF?9QCgvE)76oYdtohd*@_MixVO7V}q9>3vc<&PX3D#;aGaik4xX>)C(;Dx;g{
zKfl}#a;@XfCR6=}y+KyBc^D*8T!{cVLK>z*;s;~pRF3`YF9XJ5nn~$4{u=5YgRW!|
z&bH3HCmEl}_mU;i*@d`G7UnQ%I!t(;ZOQ_Y+Jvmdky?92o_~l;?am^g@)1f7!drkL
zcbaclqcbkS)OaON1<Dy>is?x$I_aA~e@>@<yl#9&?U;5#Dm4)5k<M7CT>4fh_#Mjc
zA@$HXX;`7|hg{m}KABwFl(8*^<x>ms%;5)8(xt?tdszCOLGCOX=(90L?Y*^dCd5}*
zziit1$I2e&3rU*?6kPr0oE5()YL0<@AURYeo{sstzbr~Pp`u_WNX#cX^2nKuV~;mN
zjB79^)!Kk=%gGc_>e17>P2A#X>wj5FUnTzf67stGHc>z(`O`V=?nVx}Jec1vP+cN)
zAX};QZt~fcy?Ym)GO_6^KQ73OKwNgj)$YYnEHSJv<deaqYd!zkIdRC4FAt1wj^uQ~
zk1$X<n;Z@$891M@<EmjqNbJ+zJh(NQdX;P4({EM$Q5*P!5}?Sh3%?Peaaa%Tg+DTg
z5LnU=0=`)heYA{1O9MVP{fM>@tS6Cw6#MjqqWgbr>|^L^mJ7XM-oXO^6x9F#;=gR{
zY7GJ#+Pk{D{N?2T;o(ynXE$n*%b<uSOnE=daTs0pY=skbrBT5LJ@!}JBEN~Kv3oVt
z%p0<UH0o(AsW(F>f4BT%6$$3;Bvd;t>wu=3lfCg2&8I{-J7)hrz4}7*{jmT8w|S_*
zP0#Ujz(gNy(%hJPJgFqRM*0QglSyHkwd{w$<RpUI(G9%YewvdM6-G7NK(0;1xIoe?
z_CZTZt*3>fNqp2?_naUt0rDBe6G6JO_hHwM>FzW(yd3vhc%O(6KOqjN*Ggn|nKP6s
zXhWB;%PId@gGSKhaN<`TUaDHz%x8{>#ZD6~qL)xkBX_CzJfbRC#^7-qP<AeCzJ)N|
zvNF*@SpwbfM5MC-FQra8h+JqMNfYUgS>_ZzF(i*ejBz}l&&t;VFV-&RDyM(MgLkoa
z9IG^dJk^nMdUkysdE$ArU9GCTV<Sgio?C&?n9xJ0E~%J^sbDiQViQ+#3@0+?^I+y%
zMl!rmIoG~si#&qtdx(aYN79dPiXjHV2b%p9qCy!t)L*cRl9>`)5?!CgI4p7xqfovO
z*eJ<UBIDK_(p7DC!Z1e&bY*U`liE>u<E_!pr4a6SRCBavxS6Ha4c|PwCKf*N`7&lv
zjisa>K`i*j77<f|;zUdQhS5;<!Z9v-D+hhsq}|d<tHF7{J1FQwUcjB{+d(sUo9pl;
zpMy*$pyVsL_92ZH3C+eOhn0Ia3v*Rt>&q9)nW?5Ue9V$MT(zRg@By=^2Ak~_ypA}I
zY_f*d<#zJ3q~Wi}6Q9r4?NJ=G_gPc<imACfQP1!5e{FgYa7Uqt5)9{GgEg;egV#Pu
z65t&ICbeqvIB0m$h7%_-s<4@tYicaz+(y>N`;81B-Ay&ndK<HXqqCdtQgDBb9luoQ
zrM&0)iJ_Gw!Dt~|j35XYG%;xMa=fg0`(D&~CiwI67<f<_FVaW{8}Vre4yG5<i(JTn
za=c2j&P^}ID8gvkujMIUd#ad^d`<2BD}dy;Ap3-8puIk3Wx9Cd0#$D7ZKCT~wJZ$`
zSut#p(rq9RS|cLPTj=n53a!3X^=jyc(2*F`&4Ll^$>bMA0*ONIw?|l(lh4T}lsvNM
z3Byjq`TWMzP^2cBnWa*yz!!5N09D3~?2A!*Un@xkB~XdTdP(*DBnOEX0a|66?GffL
z%sV3oR2*4j;!Y1)(o;DLuNypgw}=bU)I=^nXFkB7COndfqyv|6E|tZuAzfbF^ASIQ
za21;zfn(nLep#5hx^YhE)^3g%b20U%DaMvUeM_-TW0Xk%C+f#o5?Zc3-;1nTbg7t&
z=uB8~UL0RSzH2#xETG;TijE#HMjs|}J<8tVTl&tX+pH#0r;~f@Qt%7mQyGP|hL_O3
z!&B%LefwOf$cwD1Oi|7eU;Y>8k#p~4&CR<hJl_$m&!2EZ*jQTuyEI=gZiD8B<+GTd
zeRn^uWHiol{s0iN(}tVt5GX;)Z57uh%nHZQy+~AYT)Sx%QCb&?dkAKROgmNYc+)q0
zpm#5NY-Ha?GD9>kE|BOKU`qK|Hf(5fQ9C!21~&U|qbdQu$Z>^TR8z&{A5Q#rZ&9fR
zz!={}qbQY%gQXL;ln(AaC{I*z>B89=MxU#e;0ds9+9*Exb6i?q?aE5M#UKrM=BsjZ
z7~aET!Lh-jwWA86bN>vIwQch7nKKK_ucy<5f7+IwpsbwSnVpYRdjSE$(J=41Q{s``
zBrP~UcStsIO}X>^dE6;$yg&Jb-)V#!{G3pL2ew#>BUL=mx22dth$ePvzt1KJh#HmH
z=y!Q3_jm?@3@-+qAFi4n{xn^&Bcl1=ye9l@c85PLu`t>gs?K1_M2lp8_<5ONC*AVG
zuM;}XojbW!G_o6FbX`fN{i_XqGr^o|GNs+3FzEvIvK{Txi@bjVDyGXort0;0wH%Lj
zNdwI-^q0Gb#9$N$`dZ2LCmWP#+el<-<{M9i?<5wf=o?=MsEIzFB=!G%<L`6tM;H=;
zn!sp^UgnpU2~7Sq3esdm!PuoF@IQ||yPzW-BMcf0+Bgrv6dUeH3C~rH4rgaOuujc)
ziKfKkuw-*9r3|2dg$Sge)p%5@OkvSXAAQAAK7D_SlzQzjmZh)hrY$E_+tf|t)Q(Fq
ziTQ2HaGJo8scAXN63{xpTWb)cwGg+4A$}6JK`w(na?^n!%T@jPFpQ}^Np#+uEAhZX
zF#dquU^;{=bEUD6lzUx17h^MmHgr+DC#sxZQP^$!bL+N(D1PJfLO3&(a82>Dd_>#I
z7G=qH$cwMJQ6k&zM0L866d6lbQI69%r3dE_GgcIQC+kZBQJ;V&GvrlUHI^!SE#;2g
z!)2qN2XSaqJFWP0`@CfYB`{%CcBTV`on>Jg0~K56F_DF7lHGa>@(T<#rCbQGob3?)
zHsQVXFex}XU#BH*I&3rBXEU%La%SaKaUg$GhM*OInFmbSf%ZHYuP<|^dspK<bN3MA
zi4%i1>Fg<bd?uXJWT3Qm7y`2TD&u}GPUApixFch;V=$|1q@cwtQRGl*r;CzUWfJn5
zxKWZ9YN8fO6tYT;#Vd3<*SA#kW7YfP<N$8BVEr9;)7y@|-1zkUuD;4By5Ly9<gbr>
z>8<C5m0&Zd0d80GaCl@Fh`_Thn{Cc=8n@#fZjaOMX&7lfQ18-RMzE>ibI~km2>GeI
z0(+wb0xobQ<g{7BjetrO8}m#RK$}UiJkBli`I+u&az>oK3+3q`yvKYKC2$oPZLIA~
z+R~NtVfI)|LS?}QlpI6C!Z`V^xodvpJ3(>AOvzOkI6;&JqawNy#%ppWI#=4AOcD>$
z0>b#0cy67mOx_u)hu;kNUVDXf*SCzhTTzkWTkW4rxcFy%uU;@bHMfD&)6_Z+RjZ-t
zwVqD3w-t4=zUp%9k`f}y5HyWgjC1aeaRCvV>bK#4^T@RDTlMT-u{}K38~n{?aw07r
z`YnrUsl~<gu|?SxPg9}1Z)LWt*4(wauT^8%Zm=s!{CoY(nH6UqN%`$fDDAF_I6>ro
zrE>oa^w2dmL{md>`fT;9VT%b>Zr*N5+wlZ}TRY8=_>5&lyhK-UWXbjK36&NvYAQ+d
z*ICjPem)0%dR_+bHl4W%!<F0UH#d>KAq==}$7rVyvi^&hD>o6GVcpWmdcqc=2_U`G
zH`>2r!h^r?7!6heq#vW*xQTe`2`T1zkiicrS_##GC3b3sRhBgD7^1sMUCbJ>FWi9M
zTsxk<1>Xybc<0IhH*jpb-A4XMCgtiFIl6+UR$IjnpjB=|E{EkU-@mlDb@&@SJUpAM
z7@4@mf9?j4d8VE>qE-_#UZJdZ{4CzbD=f;53wUjMu$_B8v${Mil-pyAF^@}sOxCIN
zrL0Z5Tl-uB6#87nMXq`D>Fc}kwiMy&Eb5EGt8&AJ*rU?eM90@3Wdha2e%@}W%9PCJ
zSSjl&JFt+p8xGH}P$n@}#;1#QF$w0vYPv*|hvRZY+OV9ys!(7v{5kLcgBBkrDn$s8
z8gfFZBIK*pM=<w|HS8AT#COn^K1uLDCiyFmIblac*)e+&xRlx5r$mM@E8W9(Ma7xZ
z(LR$?^A5g8FiSypk%PpcyJ-Qu8VHSG+^KnFY{L(C>}24qt*G@PcCQ-K2m@{;&n~Hc
ziVY@93%*KxW-5`*P-+PsRNiQ0vf3#&Ta%&5GilW-<L;fa`cIa$P~3}YB{gEeQEg0b
zUS3`aXF`p$n(=_98~T)xYn>>o{t1VpGPU8UB}^z#9nQL6<#)Y%M2AG3T0nA|HZEBr
zSs*4!>42dutHGw8-#pEzO%WX$YmG1<gXTO<OnAs8Ssha%8y}kuXIg{sHqEBJde4Ds
zaSmcxmm?Ovy$TE!B~O5+#7AKX67O{q@!gFZGJK`OHLhLm6%X6a0WxMKR{g1z9h1aE
z?bo<ZW3(WC$(0U~n@sJ9)*<SHic$2SOf$Te<$aqpGtVOsrFkjVMaZ|f>EBQD2Eutg
zA>O+-R}#D`!oWFhb!HJ!G2Yl?jx2UzPnBeKQsX%_3Q2o+7X+^h<fv1QeO;w+{u0jA
zj+kz6y<QY9K2FaPuo63dFKq)V9{4ioB&NcROVea`?@+bsLU2$@EEHsM>Y{U)-<)=f
z?;_NHxT?r#30QCFSKmPMWrFsG1h)Vmy7rmT`F^c~$9YkHJF^ytE<i1Ub+4>}n3t5u
z8C8q+HUHn<v!kG*L!bt8_l|Q`isRK{abCa4)$+<&m@x4e2PgA`<_J;%cxF3WsR!q<
zeKfRhOqn+V0XsTmL_5y&dIF?4ib~tG9E0u#HLfTX3LK)y7FdPo|M=Dx5F+(7uaH!I
zqh*s>Kg}BNVDDJ-+&U+xpU=|98GsP;QYT+zBE$Y*>S~~%k^%m^L-kh{0Z;%8|CGP+
pU;L{7|KvXjtA9@a_et_!^XuPamaYcIvwv1l|7O(RT1@f}`WK*gMwb8p

literal 0
HcmV?d00001

diff --git a/Solutions/Akamai Security Events/Package/createUiDefinition.json b/Solutions/Akamai Security Events/Package/createUiDefinition.json
index eddebc64f60..3282ba1a44d 100644
--- a/Solutions/Akamai Security Events/Package/createUiDefinition.json	
+++ b/Solutions/Akamai Security Events/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
         "visible": true
       }
     ],
-    "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Akamai Security Events. You can get Akamai Security Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-parser-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      }
-    ],
+    "steps": null,
     "outputs": {
       "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",
diff --git a/Solutions/Akamai Security Events/Package/mainTemplate.json b/Solutions/Akamai Security Events/Package/mainTemplate.json
index dd39eb4fe02..ad2858a91af 100644
--- a/Solutions/Akamai Security Events/Package/mainTemplate.json	
+++ b/Solutions/Akamai Security Events/Package/mainTemplate.json	
@@ -33,27 +33,9 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Akamai Security Events",
-    "_solutionVersion": "3.0.1",
+    "_solutionVersion": "3.0.2",
     "solutionId": "azuresentinel.azure-sentinel-solution-akamai",
     "_solutionId": "[variables('solutionId')]",
-    "uiConfigId1": "AkamaiSecurityEvents",
-    "_uiConfigId1": "[variables('uiConfigId1')]",
-    "dataConnectorContentId1": "AkamaiSecurityEvents",
-    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
-    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-    "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
-    "dataConnectorVersion1": "1.0.0",
-    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
-    "uiConfigId2": "AkamaiSecurityEventsAma",
-    "_uiConfigId2": "[variables('uiConfigId2')]",
-    "dataConnectorContentId2": "AkamaiSecurityEventsAma",
-    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
-    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-    "_dataConnectorId2": "[variables('dataConnectorId2')]",
-    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
-    "dataConnectorVersion2": "1.0.0",
-    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "parserObject1": {
       "_parserName1": "[concat(parameters('workspace'),'/','AkamaiSIEMEvent')]",
       "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AkamaiSIEMEvent')]",
@@ -64,672 +46,6 @@
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Akamai Security Events data connector with template version 3.0.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId1')]",
-                  "title": "[Deprecated] Akamai Security Events via Legacy Agent",
-                  "publisher": "Akamai",
-                  "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
-                  "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "AkamaiSecurityEvents",
-                      "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Akamai\"\n| where DeviceProduct == \"akamai_siem\""
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Countries",
-                      "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (AkamaiSecurityEvents)",
-                      "lastDataReceivedQuery": "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "read": true,
-                          "write": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
-                    },
-                    {
-                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-                      "innerSteps": [
-                        {
-                          "title": "1.1 Select or create a Linux machine",
-                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                        },
-                        {
-                          "title": "1.2 Install the CEF collector on the Linux machine",
-                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                          "instructions": [
-                            {
-                              "parameters": {
-                                "fillWith": [
-                                  "WorkspaceId",
-                                  "PrimaryKey"
-                                ],
-                                "label": "Run the following command to install and apply the CEF collector:",
-                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                              },
-                              "type": "CopyableLabel"
-                            }
-                          ]
-                        }
-                      ],
-                      "title": "1. Linux Syslog agent configuration"
-                    },
-                    {
-                      "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
-                      "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
-                    },
-                    {
-                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "fillWith": [
-                              "WorkspaceId"
-                            ],
-                            "label": "Run the following command to validate your connectivity:",
-                            "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                          },
-                          "type": "CopyableLabel"
-                        }
-                      ],
-                      "title": "3. Validate connection"
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
-                    }
-                  ]
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-                "contentId": "[variables('_dataConnectorContentId1')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Akamai Security Events",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Akamai Security Events via Legacy Agent",
-        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
-        "id": "[variables('_dataConnectorcontentProductId1')]",
-        "version": "[variables('dataConnectorVersion1')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId1')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "Akamai Security Events",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Akamai Security Events via Legacy Agent",
-          "publisher": "Akamai",
-          "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "AkamaiSecurityEvents",
-              "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Akamai\"\n| where DeviceProduct == \"akamai_siem\""
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (AkamaiSecurityEvents)",
-              "lastDataReceivedQuery": "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "Top 10 Countries",
-              "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "read": true,
-                  "write": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
-            },
-            {
-              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-              "innerSteps": [
-                {
-                  "title": "1.1 Select or create a Linux machine",
-                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                },
-                {
-                  "title": "1.2 Install the CEF collector on the Linux machine",
-                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                  "instructions": [
-                    {
-                      "parameters": {
-                        "fillWith": [
-                          "WorkspaceId",
-                          "PrimaryKey"
-                        ],
-                        "label": "Run the following command to install and apply the CEF collector:",
-                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                      },
-                      "type": "CopyableLabel"
-                    }
-                  ]
-                }
-              ],
-              "title": "1. Linux Syslog agent configuration"
-            },
-            {
-              "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
-              "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
-            },
-            {
-              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-              "instructions": [
-                {
-                  "parameters": {
-                    "fillWith": [
-                      "WorkspaceId"
-                    ],
-                    "label": "Run the following command to validate your connectivity:",
-                    "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                  },
-                  "type": "CopyableLabel"
-                }
-              ],
-              "title": "3. Validate connection"
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId1')]",
-          "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Akamai Security Events data connector with template version 3.0.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion2')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-              "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
-              "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId2')]",
-                  "title": "[Deprecated] Akamai Security Events via AMA",
-                  "publisher": "Akamai",
-                  "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
-                  "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "AkamaiSecurityEvents",
-                      "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Countries",
-                      "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (AkamaiSecurityEvents)",
-                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "read": true,
-                          "write": true,
-                          "delete": true
-                        }
-                      },
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
-                      }
-                    ],
-                    "customs": [
-                      {
-                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-                      },
-                      {
-                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-                      }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "title": "1. Kindly follow the steps to configure the data connector",
-                            "instructionSteps": [
-                              {
-                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                              },
-                              {
-                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
-                                "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
-                              },
-                              {
-                                "title": "Step C. Validate connection",
-                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                                "instructions": [
-                                  {
-                                    "parameters": {
-                                      "label": "Run the following command to validate your connectivity:",
-                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                                    },
-                                    "type": "CopyableLabel"
-                                  }
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "InstructionStepsGroup"
-                        }
-                      ]
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "2. Secure your machine "
-                    }
-                  ]
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-              "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-                "contentId": "[variables('_dataConnectorContentId2')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Akamai Security Events",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "contentKind": "DataConnector",
-        "displayName": "[Deprecated] Akamai Security Events via AMA",
-        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
-        "id": "[variables('_dataConnectorcontentProductId2')]",
-        "version": "[variables('dataConnectorVersion2')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId2')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
-        "contentId": "[variables('_dataConnectorContentId2')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion2')]",
-        "source": {
-          "kind": "Solution",
-          "name": "Akamai Security Events",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
-      }
-    },
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
-      "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
-      "properties": {
-        "connectorUiConfig": {
-          "title": "[Deprecated] Akamai Security Events via AMA",
-          "publisher": "Akamai",
-          "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "AkamaiSecurityEvents",
-              "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (AkamaiSecurityEvents)",
-              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
-            {
-              "description": "Top 10 Countries",
-              "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "read": true,
-                  "write": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
-              }
-            ],
-            "customs": [
-              {
-                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
-              },
-              {
-                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
-              }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
-              "instructions": [
-                {
-                  "parameters": {
-                    "title": "1. Kindly follow the steps to configure the data connector",
-                    "instructionSteps": [
-                      {
-                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                      },
-                      {
-                        "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
-                        "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
-                      },
-                      {
-                        "title": "Step C. Validate connection",
-                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
-                        "instructions": [
-                          {
-                            "parameters": {
-                              "label": "Run the following command to validate your connectivity:",
-                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
-                            },
-                            "type": "CopyableLabel"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "type": "InstructionStepsGroup"
-                }
-              ]
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "2. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId2')]",
-          "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
-        }
-      }
-    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
@@ -739,7 +55,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AkamaiSIEMEvent Data Parser with template version 3.0.1",
+        "description": "AkamaiSIEMEvent Data Parser with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -867,12 +183,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.1",
+        "version": "3.0.2",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Akamai Security Events",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Akamai Security Solution for Microsoft Sentinel enables ingestion of <a href=\"https://www.akamai.com/solutions/security\">Akamai Security Solutions</a> events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.</p>\n</li>\n</ol>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Akamai Security Solution for Microsoft Sentinel enables ingestion of <a href=\"https://www.akamai.com/solutions/security\">Akamai Security Solutions</a> events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024.</strong></p>\n<p><strong>Data Connector:</strong> 1,<strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -896,16 +212,6 @@
         },
         "dependencies": {
           "criteria": [
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId1')]",
-              "version": "[variables('dataConnectorVersion1')]"
-            },
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId2')]",
-              "version": "[variables('dataConnectorVersion2')]"
-            },
             {
               "kind": "Parser",
               "contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/Akamai Security Events/ReleaseNotes.md b/Solutions/Akamai Security Events/ReleaseNotes.md
index da13b3127d1..b2d8a50d734 100644
--- a/Solutions/Akamai Security Events/ReleaseNotes.md	
+++ b/Solutions/Akamai Security Events/ReleaseNotes.md	
@@ -1,4 +1,5 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.1       | 08-07-2024                     |	Deprecated **Data Connector**   								|	 
-| 3.0.0       | 20-09-2023                     |	Addition of new Akamai Security Events AMA **Data Connector**   |
\ No newline at end of file
+| 3.0.2       | 12-11-2024                     |    Removed Deprecated **Data Connector**                           |
+| 3.0.1       | 08-07-2024                     |    Deprecated **Data Connector**                                   |
+| 3.0.0       | 20-09-2023                     |    Addition of new Akamai Security Events AMA **Data Connector**   |
\ No newline at end of file

From 40c1c9c2fabe8c01d3447b3c9635c93b8bfce9c3 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Wed, 13 Nov 2024 13:29:41 +0530
Subject: [PATCH 3/4] updated createUiDefinition

---
 .../Akamai Security Events/Package/3.0.2.zip  | Bin 4922 -> 4922 bytes
 .../Package/createUiDefinition.json           |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Akamai Security Events/Package/3.0.2.zip b/Solutions/Akamai Security Events/Package/3.0.2.zip
index 9d6047479aae78268e72279acc4a67679dff8ade..e205099ad85473a72d3e5d9293ad4f7f63990e05 100644
GIT binary patch
delta 1458
zcmV;j1x@<8Cb}jPP)h>@6aWAK2mqyPZCRspH=~gfC4X&i+cpsXK4Aahplz^ZD6*4n
z*buB8j5O&ABx{jm?FTy_Xz46-p+uFWtfpCj{g(Z-{gNH27fZ2IbQ=&DB6+-*=bpP`
z?!Wv3!24RqYs{E;4Bpz9LLW~i^-h$roTZpyZX))vR2aoFYtHm!8XZPQ2Zh27$7*t-
zkQw~#)qe|I@thkj^XQ@!hQH0C-?hxY@<L~8&GJN`vbHXGtfZDJ6V06No`yzvgG!Sk
zD?BjP92ZQn3=Ij9#J%03%~<9uo^Cg2i|cp%BU1@&u9(mmb|*`wd93@ww3(oe6)#L<
z`6r&GpjG^A(V?SQ6{Xy)%Vnuikws$>ve>vt>VMyZE865aiV1;5PEO8cD)ofjvW)Ra
zZ_<TV@x-i2?+@P>A4og$bZxrj^F_YM$Kzk6!Q=55-UwtGLE#D&7zt*Lu#!T^isvaT
zaU~T3&$VGf*d2SWr6_F}$6$5+{pVkB>F^sI!u%3z-PV-8@!Kft2%iqiD8x3lt45ig
z%zs>b-yBV^FfJ80cl3F>p*wog*l}i}ED5YrV7<CtBRQY3JBkD5x4Eox;98e`ZwR+2
z(-YlTZ@t$}x)u(gKxG)w&&F>d;u>1dLMV0-%yxl`tXJd^)PX=7MyH5SSI}`6S~vi6
zwiKvIRf^gP$`#C?($b5ps;a1Ag)6TPN`Kv43IH8|Q0g|bCo;>(f&&)Lq{^59|K#*6
zAoCR39`~%*ofj99N>nNvF4XZ7QXL`aJHZ0;#44xtQwF;WwgOt%t?cO;Y&e72#mpY%
z7?UlFcuahyg%c7o)sfA-6Yo@2TnNj8CLx#r(?Er8EShHMW-Y>8uW5?q_4TPOmVa&h
z3JFtcV2K{cTWx(ePg*x?m+%9p6jC^y`x+S0ge_%hY$W6%K}5=_V<oV>gYkG)rts}y
z2uIVS@1pUzcIXXL)FHI>>Co=X&ylGdGTABHP1O$PUF&U$AHW~5t7Q+Z_Fe9{mB={o
z!d}zU<+9)Pdi{_NNr5a?jBk|O@PDN4xAVRP^t<_MszL{{zUaosmeqZ$PhDi<RjzF_
z)RRi8TV1di^`vO6PZ&)Qb6HZgeL~wn#Zt=KPYF|R=CPApQAgEYU+`wTc<4hWWX$%$
zMKg&d%&^A?cKq>#s>+U)UwC2()+!01LP*g7H?UGNYik4uLUCtkN<jz3z<;}kK~Ua?
zYff#b9d%E*-X`>=l4Y^uKeJQiv?&2PHLC0@YCoHgR`GV2cGT!k)tpAPjhkXTpS|ls
z>3e1F3LHKRI$B3FmCXuHWoncZ!&_2{Yi^_PTpL?)VV?xHD7WMxIH_T|vZg-Zz`blR
z00#nSw5<t~fo>}QgtrfYd4K92D9RU@r)KRBK=gyiMi_+C;Kmz5{hmgX*+-JKv`-T6
z<>~d1ne?zRYiE({6FvNXagrgPgri<Hd~N~#%nE+cJgJ^hmzo|-e>|8Tj>zGC+3j4~
zm&NKc6IhRp=!KHS3!2jdX~C8#toVL56oPivQY7_j@yg`~7(8M65q}F3vY6O+gc~Tr
z=3VBZM~NOI^uMHpHj1X5(K|VHg@egkCMe}Dff+0Onvi~79{y-p0HYw<Sn&`Vxd5I$
zZwIROjXWofsyU;~2O+e3d-)fTfX@wPPETRSkKeFpbib%EUwFq0Zxn(RbGJemExd5y
zIZyVVK8#59%_E*#Zhv!y$!?G6BercxeW8YEH*NQzXJp};$NfXMN0Y56hd6JUchKv<
z-h9QCHvWHvoBk*9{|DqD!9dNnz2Pux%~xB?k8<PiZDSZ<>kT4n7ydwGTLo5TkF~a_
z9nSPafByhbO9KQH000080ElaCS(>8tBjXGJ07OXu01*HH0Hdr04G5)cZCRspH=~oZ
M5<LQlYm@U5M?WITLjV8(

delta 1458
zcmV;j1x@<8Cb}jPP)h>@6aWAK2mq&zY*~0gmST|-C4cX3+cpsYK49-~&^A~$6xqo(
zYzWp3Mw)g7lC?;(_Jf@dv~-raP@+asR@1J)o@I}=C)tq_Whr)wZUX{CB#-y!cfY%1
z-hciXK=7qbHkh;E6oQR0r9Pcbo1Hjk1<NqU!o=)dr7%up-k#~{EIy7;j!K1Fj`j3R
zAv5^vi+`uM<^?xg7V%{z41b-+ziC-~5k$_`h83wmWo=#ZL`f~zCZ0RpJq@k!7L_JN
zR(N2nJuaDIIT{ioiT8GkHWOK_dA8f2Ew112cTA<Uxn@FR)SaxD=85hL(`Je~QM@#*
z<sW#SfmX?rWrvPpb)0dtsaBOnMHY=k$YSFnX@7o?u4$7OD5eA!IXS(MnbcEu$8yGF
zz0H<E%~P`>z2ALXz9sF*vyJJNKQ4=9F`4`#4W3RW@Jb-l2nyGzz(_C~gtZhx*1X7I
zg=?u0c%cmw!tU5}Ek$L+I0dWg??3;7D~I3U5EfV1=(eWxZRn$HB78h7qY!;;*R3)=
zoqxOdzB-v*V^S$@?&<S<OLz3Nwd2ghc{;XEf%WQUgXDb9?kNsf+!eAefNNd#y&>G<
zTu*gt-FvT{bR#^55|v>@KO4V=h->hkMNsY|nC}A@Td&9=XaWHrMyH5SSI}`6JRE=p
zTM5*pDnsoA<r)@`Y3W5)*LB>o!j)GCrGIWOjR75iP-&mpGnwaP!2t`;q{^9r@a+8A
zn9NgX2i&t>cV1jdDp9FyxX{E)NOgpu?-WZcQmdTSj~VPP*b4BlTiNqxu;mQqmvehm
zU_!Pm;tBDU7EVaWOvg6!PP|i9b0I7X+Js;VOam3Vv1pp1n~ex_y{0XempA9OSbui$
zD<n**fu(vNZ?*N^Jo9cgF5z2FDWq^Z_cbu030uj^*ht7jf{2t;$4X&!50lBf%HZqc
z2u@}v-^7zi<IpRns6%M$)3M!ITp&{g<g!z?pQ=61yVmQ8KZZYGU&{en9lG3cE0xJO
zh<Z&=SF3*4>-9rABn7fk3BFQt%YW0R-!A$R(C_9isR|v)`m!4zJ689tK6a6b7lpRX
zP)}>A?sUl#)YH;ipE8;t=BlD<`-rxIij|ai9}}kD%o8WMrjDwEzToX{@u3fykO?~o
z7tJJ=GQ%Do*zw0xswz8He&(qqm{$@(jgX-MZeXos?rQ`HLUC_sN<jz3z<;|BgP?*f
z*PPmrA9ato?i2c4$*SD*pV_H$-j)EJ8ddcb`Oo&lE8Y#$jvD=`TF|JraZ`*J^EX{6
zeXq=YiNl9MN9%a5@_EUrOpTIacuPug!)+9SYh!CJ?32J2<&HcACp9cr*3<_axK}L(
z;6MP4wl!fo&`sr^a{mxmWPk2~qC$a1W;Wpf#Bdzj2*=TEd>ag*{+&jXIYg3;v`>=Y
z`T5O|ne?zR8)uR16FtIyagrgPMx$Oed};yx#7chDKB=Bimzo{TzCW5BkI3Oe+3j39
zl*RfJ6WEN6_^FcRQ<~EQX~9+~toUIzl!A6PQl!mm@!I7F7(8P70e=fpvY6U;gc~Tr
z=3N$|M~NOI^uMHpHj1X5(R(>{g@fs9CMe}DfjKL~hLB-X9^q(M0Hbldwc-)9a$|V%
zqaUa`H1dKps`iXBKaRlf9pvAb1VU~wcX~=Ye!`YTqxZ`O^JQ?l3`P-HF?TD1(K3jZ
zf%D|>>4y=izJ0(`%YSXIFx~GFeZ+PxsV~$L?bde>dPbHOv!W8h@6lu{t0B%i<{kC=
zZ?IT%rA_!B;imsd!v6tzL@-dZ^*0=5-h92Y{2(_DUmwE&+h7oxUxWjZT@_fF1J-;|
zJDll<{{8__O9KQH000080CiMtS(>8tBjXGJ07OXu01*HH0Hdr04G5==Y*~0gmSU5%
M5<LQSRFm@(N5vk($^ZZW

diff --git a/Solutions/Akamai Security Events/Package/createUiDefinition.json b/Solutions/Akamai Security Events/Package/createUiDefinition.json
index 3282ba1a44d..c6e266ce26c 100644
--- a/Solutions/Akamai Security Events/Package/createUiDefinition.json	
+++ b/Solutions/Akamai Security Events/Package/createUiDefinition.json	
@@ -50,7 +50,7 @@
         "visible": true
       }
     ],
-    "steps": null,
+    "steps": [{}],
     "outputs": {
       "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",

From f4436715c2765e7c0776c115525afb971156133b Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Wed, 13 Nov 2024 14:49:06 +0530
Subject: [PATCH 4/4] updated createUiDefinition

---
 .../Akamai Security Events/Package/3.0.2.zip  | Bin 4922 -> 4933 bytes
 .../Package/createUiDefinition.json           |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Akamai Security Events/Package/3.0.2.zip b/Solutions/Akamai Security Events/Package/3.0.2.zip
index e205099ad85473a72d3e5d9293ad4f7f63990e05..7bf2e0e84ca758570f4de961c2f0d3e0bcc1588d 100644
GIT binary patch
delta 1385
zcmV-v1(y1{CdDQgP)h>@6aWAK2mlXuZCP7FaqeUV000FJkr*}tB<+z<W`8NJc+L%%
zd2~?<!{27n?^@<xd7-nlW_cn|Sz8x8R#MBAiDpiBPeUWTL8VEN6&@ICjtiz(hK7Vl
z;@)o2W-Rj+Pq!Pi#q~S>k*S0>S4?OOyOSl;Jl1_-+DuT#iWjD_{1eYo&?<hm=+IHD
zic)UY<+9YM$fB_bS!`S+^?&cd6>ahy#e~2jCnx7Jm3qQ%S;lyzH|fHwcw*M1_lNI`
z52PJ=x;EYN`66HB<MFT3;PH42Zv--ppm2o>j0CerSV<vd#q$)FxRMHi=h`qK?2bLx
zQj|7~W3amZ{_`)mbodPpVSb6VZfi>4_-&MRginWM6k;3ORijK#W`8ceZ;qx{7?+Bh
zJNi7^&>cN#>^L(~mIT%*uwGrSk(|%i9mN6j+gw&TaIMR}H-uZ1>4|Qvx87?fT?+?L
zpfZf;XXCdJaSg3!Ar!j^X1l;e)+=%d>Oi0kqf<nvE9kfjEgXP3TME>qDn;!C<qGCc
zY3W5)RaMlm!j)GCrGIWN1%M7fD0Q3J6PaaX!2t^|q{^59|K#jNK;|j5J?>erJ1;II
zm8euUT&UwEq&h;-cY+1xiB(SPrwn!%Yz4HiTiLT0u;C157c+a5V@$Rz;xX}+7EVaW
zR7W=RPP|i9aUm=VnuK5iOam3Vv1pp1o3#jYy{0La*VkvZSbw(hD<n**fhBq%Z?*N^
zJZasmUBVBXQb^%+?rUH~6SkD4v5}C61Q98xj+Maj4#wkInZmb+AskJQzKh0VNAB_X
zlo__wVtqRd$Ky9lQRC2VX$9x!$W#uQ>}>32aHkYpM{esOfInbY%O1AvyWCMOk#XRK
zy<VuxWxpBr+J7V+k^)((7~d$l;Yr<w=Y0w2H~H68oDO?^(M^>t+51+Xy2!+<T-zS0
zCzVvUx?nNtNzq!LFd8i8vZNyXgtmc-rIfdy5~h~TV<)+yMytKP;LUdN(1%ROnC*p&
zMionl4v!D)ROAU2o1Hel@Wk@2RT4slkfH%@V5MZ%mVXWqgyPQ7@PZDCfp-sspu7#&
zoVrsx0iSTaP3TJ{%VNiWW{1sLQyFw>RM}V5el{Pi;_Zy>sL>y`IZbdIH^q29d)I~1
z_sZNAID9X3w2o#fn-!d@*C;85x1<!;+(zNK?zZB>z7%Y&ZplM%QXg~GPVK>gd)Z(B
z4g}C>JAW1?1Km{532)yA^VGdtlrJz(&DtM;=m(LFFbJo?jW>k)JxwgLk0fhpUn<_q
zv+E%<>Ahpt&LY_-died~Bttw2N4;wJ+yeTU75t!iX+5LnH9eUAcrZO2k;D74+qtwa
zi`8c)u%0H-sglJhjqic9U`rHMd_NlsK|5<Hl7IRUdFAp044yFkhy@8*OziW*%^6|y
zE_2bNM2`{rUs6IFMMKc&ot(PD!Q?FylyaBAj1_)ONWU%*e>5zBQ4npccnFPL0MDMc
zb5{FCo|8t^oKfb35Zb-H{0m6H=LR#Ur?BJ4Z&)<CU(}c{yyJy83c-rGTOo`VUbyg_
zCx81-A4a75<`GXVx4FV(w@365+qR^>P(!qvwtLX)vT)7g{-N8W$ySs@oVUz7==EQ3
zzT!$7|3AV_|El=^1M-kypk~|NaG15`tF7fnxpDZmF$}Qv29dQ3e;~500xPq}T3gf(
zXZoSPe*jQR0|XQR000O8pml9onxge1<Fla!3k?nrc5PW(LUHb71pojA4wJePHy@yN
rZCRS4^&{g9002Zu000pH0000000031AOHXWnUfF`BnGPz00000u7a14

delta 1361
zcmV-X1+MzVCb}jVP)h>@6aWAK2mqyPZCRspH=|hv008a{kr*}tH0hC0W`7G@@thkj
z^XQ@!hQH0C-?hxY@<L~8&GJN`vbHXGtfZDJ6V06No`yzvgG!SkD?BjP92ZQn3=Ij9
z#J%03%~<9uo^Cg2i|cp%BU1@&u9(mmb|*`wd93@ww3(oe6)#L<`6r&GpjG^A(V?SQ
z6{Xy)%Vnuikws$>ve>vt>VMyZE865aiV1;5PEO8cD)ofjvW)RaZ_<TV@x-i2?+@P>
zA4og$bZxrj^F_YM$Kzk6!Q=55-UwtGLE#D&7zt*Lu#!T^isvaTaU~T3&$VGf*d2SW
zr6_F}$6$5+{pVkB>F^sI!u%3z-PV-8@!Kft2%iqiD8x3lt45ig%zs>b-yBV^FfJ80
zcl3F>p*wog*l}i}ED5YrV7<CtBRQY3JBkD5x4Eox;98e`ZwR+2(-YlTZ@t$}x)u(g
zKxG)w&&F>d;u>1dLMV0-%yxl`tXJd^)PX=7MyH5SSI}`6S~vi6wiKvIRf^gP$`#C?
z($b5ps;a1Ag)6TPN`Kv43IH8|Q0g|bCo;>(f&&)Lq{^59|K#*6AoCR39`~%*ofj99
zN>nNvF4XZ7QXL`aJHZ0;#44xtQwF;WwgOt%t?cO;Y&e72#mpY%7?UlFcuahyg%c7o
z)sfA-6Yo@2TnNj8CLx#r(?Er8EShHMW-Y>8uW5?q_4TPOmVa&h3JFtcV2K{cTWx(e
zPg*x?m+%9p6jC^y`x+S0ge_%hY$W6%K}5=_V<oV>gYkG)rts}y2uIVS@1pUzcIXXL
z)FHI>>Co=X&ylGdGTABHP1O$PUF&U$AHW~5t7Q+Z_Fe9{mB={o!d}zU<+9)Pdi{_N
zNr5a?jBk|O@PDN4xAVRP^t<_MszL{{zUaosmeqZ$PhDi<RjzF_)RRi8TV1di^`vO6
zPZ&)Qb6HZgeL~wn#Zt=KPYF|R=CPApQAgEYU+`wTc<4hWWX$%$MKg&d%&^A?cKq>#
zs>+U)UwC2()+!01LP*g7H?UGNYik4uLUCtkN<jz3z<;}kK~Ua?Yff#b9d%E*-X`>=
zl4Y^uKeJQiv?&2PHLC0@YCoHgR`GV2cGT!k)tpAPjhkXTpS|ls>3e1F3LHKRI$B3F
zmCXuHWoncZ!&_2{Yi^_PTpL?)VV?xHD7WMxIH_T|vZg-Zz`blR00#nSw5<t~fo>}Q
zgtrfYd4K92D9RU@r)KRBK=gyiMi_+C;Kmz5{hmgX*+-JKv`-T6<>~d1ne?zRYiE({
z6FvNXagrgPgri<Hd~N~#%nE+cJgJ^hmzo|-e>|8Tj>zGC+3j4~m&NKc6IhRp=!KHS
z3!2jdX~C8#toVL56oPivQY7_j@yg`~7(8M65q}F3vY6O+gc~Tr=3VBZM~NOI^uMHp
zHj1X5(K|VHg@egkCMe}Dff+0Onvi~79{y-p0HYw<Sn&`Vxd5I$ZwIROjXWofsyU;~
z2O+e3d-)fTfX@wPPETRSkKeFpbib%EUwFq0Zxn(RbGJemExd5yIZyVVK8#59%_E*#
zZhv!y$!?G6BercxeW8YEH*NQzXJp};$NfXMN0Y56hd6JUchKv<-h9QCHvWHvoBk*9
z{|DqD!9dNnz2Pux%~xB?k8<PiZDSZ<>kT4n7ydwGTLo5TkF~a_9nSPafByhbO9KQH
z000080ElaCS(>8tBjXGJ07OXu01*HH0He1B4GyJiZCRspH=|hv008a{lf@D@0*Gsq
T{t_Gkj*}Y`BnF@o00000c~g)}

diff --git a/Solutions/Akamai Security Events/Package/createUiDefinition.json b/Solutions/Akamai Security Events/Package/createUiDefinition.json
index c6e266ce26c..028d0161297 100644
--- a/Solutions/Akamai Security Events/Package/createUiDefinition.json	
+++ b/Solutions/Akamai Security Events/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n **Data connector:** 1,**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",