![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/halcyon.svg\")
",
- "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
+ "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)",
"Data Connectors": [
"Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json"
],
- "Parsers": [
- "Parsers/ASimAuthenticationHalcyon.yaml",
- "Parsers/ASimDnsHalcyon.yaml",
- "Parsers/ASimFileEventHalcyon.yaml",
- "Parsers/ASimNetworkSessionHalcyon.yaml",
- "Parsers/ASimProcessEventHalcyon.yaml"
- ],
+ "Parsers": [],
"Workbooks": [],
"Analytic Rules": [],
"Hunting Queries": [],
"Playbooks": [],
- "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Halcyon",
- "Version": "3.0.0",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Halcyon",
+ "Version": "3.1.0",
"Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
+ "TemplateSpec": false,
"Is1PConnector": false
-}
\ No newline at end of file
+}
diff --git a/Solutions/Halcyon/Package/3.1.0.zip b/Solutions/Halcyon/Package/3.1.0.zip
new file mode 100644
index 00000000000..c94768f45be
Binary files /dev/null and b/Solutions/Halcyon/Package/3.1.0.zip differ
diff --git a/Solutions/Halcyon/Package/createUiDefinition.json b/Solutions/Halcyon/Package/createUiDefinition.json
index 920399a9505..4a2f406fc6e 100644
--- a/Solutions/Halcyon/Package/createUiDefinition.json
+++ b/Solutions/Halcyon/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Parsers:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Halcyon/Package/mainTemplate.json b/Solutions/Halcyon/Package/mainTemplate.json
index 4ba7086073a..e4ebff86b5a 100644
--- a/Solutions/Halcyon/Package/mainTemplate.json
+++ b/Solutions/Halcyon/Package/mainTemplate.json
@@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
- "author": "Halcyon",
+ "author": "Halcyon - support@halcyon.ai",
"comments": "Solution template for Halcyon"
},
"parameters": {
@@ -44,53 +44,20 @@
}
},
"variables": {
+ "email": "support@halcyon.ai",
+ "_email": "[variables('email')]",
"_solutionName": "Halcyon",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.1.0",
"solutionId": "halcyontech1743610828684.azure-sentinel-solution-halcyon",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "dataConnectorCCPVersion": "1.0.0",
+ "dataConnectorCCPVersion": "3.1.0",
"_dataConnectorContentIdConnectorDefinition1": "HalcyonPush",
"dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
"_dataConnectorContentIdConnections1": "HalcyonPushConnections",
"dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
"dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"blanks": "[replace('b', 'b', '')]",
- "parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','ASimAuthenticationHalcyon')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimAuthenticationHalcyon-Parser')))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ASimAuthenticationHalcyon-Parser"
- },
- "parserObject2": {
- "_parserName2": "[concat(parameters('workspace'),'/','ASimDnsHalcyon')]",
- "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]",
- "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimDnsHalcyon-Parser')))]",
- "parserVersion2": "1.0.0",
- "parserContentId2": "ASimDnsHalcyon-Parser"
- },
- "parserObject3": {
- "_parserName3": "[concat(parameters('workspace'),'/','ASimFileEventHalcyon')]",
- "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]",
- "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimFileEventHalcyon-Parser')))]",
- "parserVersion3": "1.0.0",
- "parserContentId3": "ASimFileEventHalcyon-Parser"
- },
- "parserObject4": {
- "_parserName4": "[concat(parameters('workspace'),'/','ASimNetworkSessionHalcyon')]",
- "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]",
- "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimNetworkSessionHalcyon-Parser')))]",
- "parserVersion4": "1.0.0",
- "parserContentId4": "ASimNetworkSessionHalcyon-Parser"
- },
- "parserObject5": {
- "_parserName5": "[concat(parameters('workspace'),'/','ASimProcessEventHalcyon')]",
- "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]",
- "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimProcessEventHalcyon-Parser')))]",
- "parserVersion5": "1.0.0",
- "parserContentId5": "ASimProcessEventHalcyon-Parser"
- },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -125,80 +92,31 @@
"publisher": "Halcyon",
"logo": "halcyon.svg",
"descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Authentication Events",
- "legend": "HalcyonAuthenticationEvents_CL",
- "baseQuery": "HalcyonAuthenticationEvents_CL"
- },
- {
- "metricName": "DNS Activity",
- "legend": "HalcyonDnsActivity_CL",
- "baseQuery": "HalcyonDnsActivity_CL"
- },
- {
- "metricName": "File Activity",
- "legend": "HalcyonFileActivity_CL",
- "baseQuery": "HalcyonFileActivity_CL"
- },
- {
- "metricName": "Network Sessions",
- "legend": "HalcyonNetworkSession_CL",
- "baseQuery": "HalcyonNetworkSession_CL"
- },
+ "sampleQueries": [
{
- "metricName": "Process Events",
- "legend": "HalcyonProcessEvent_CL",
- "baseQuery": "HalcyonProcessEvent_CL"
+ "description": "View recent events",
+ "query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n"
}
],
- "sampleQueries": [
- {
- "description": "Get Sample Authentication Events",
- "query": "HalcyonAuthenticationEvents_CL\n | take 10"
- },
- {
- "description": "Get Sample DNS Activity",
- "query": "HalcyonDnsActivity_CL\n | take 10"
- },
- {
- "description": "Get Sample File Activity",
- "query": "HalcyonFileActivity_CL\n | take 10"
- },
- {
- "description": "Get Sample Network Sessions",
- "query": "HalcyonNetworkSession_CL\n | take 10"
- },
+ "graphQueries": [
{
- "description": "Get Sample Process Events",
- "query": "HalcyonProcessEvent_CL\n | take 10"
+ "metricName": "Events",
+ "legend": "HalcyonEvents_CL",
+ "baseQuery": "HalcyonEvents_CL"
}
],
"dataTypes": [
{
- "name": "Halcyon Authentication Events",
- "lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon DNS Activity",
- "lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon File Activity",
- "lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon Network Sessions",
- "lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon Process Events",
- "lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "Halcyon Events",
+ "lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
- "type": "HasDataConnectors"
+ "type": "IsConnectedQuery",
+ "value": [
+ "HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)"
+ ]
}
],
"availability": {
@@ -243,14 +161,14 @@
{
"parameters": {
"label": "Deploy Halcyon Connector Resources",
- "applicationDisplayName": "Halcyon Connector Application"
+ "applicationDisplayName": "Halcyon Sentinel Connector"
},
"type": "DeployPushConnectorButton"
}
]
},
{
- "title": "2. Configured your integration in the Halcyon Platform",
+ "title": "2. Configure your integration in the Halcyon Platform",
"description": "Use the following parameters to configure your integration in the Halcyon Platform.",
"instructions": [
{
@@ -294,7 +212,7 @@
},
{
"parameters": {
- "label": "Data Collection Rule Immutable ID (Rule ID)",
+ "label": "Data Collection Rule ID (Rule ID)",
"fillWith": [
"DataCollectionRuleId"
],
@@ -323,7 +241,8 @@
"kind": "Solution"
},
"author": {
- "name": "Halcyon"
+ "name": "Halcyon",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Halcyon",
@@ -354,4609 +273,326 @@
"Custom-Halcyon": {
"columns": [
{
- "name": "ActingAppId",
- "type": "string"
- },
- {
- "name": "ActingAppName",
- "type": "string"
- },
- {
- "name": "ActingAppType",
- "type": "string"
- },
- {
- "name": "ActingOriginalAppType",
- "type": "string"
- },
- {
- "name": "ActingProcessCommandLine",
- "type": "string"
- },
- {
- "name": "ActingProcessCreationTime",
+ "name": "TimeGenerated",
"type": "datetime"
},
{
- "name": "ActingProcessFileCompany",
- "type": "string"
- },
- {
- "name": "ActingProcessFileDescription",
- "type": "string"
- },
- {
- "name": "ActingProcessFileInternalName",
- "type": "string"
- },
- {
- "name": "ActingProcessFilename",
- "type": "string"
- },
- {
- "name": "ActingProcessFileOriginalName",
- "type": "string"
- },
- {
- "name": "ActingProcessFileProduct",
- "type": "string"
- },
- {
- "name": "ActingProcessFileSize",
- "type": "long"
- },
- {
- "name": "ActingProcessFileVersion",
- "type": "string"
- },
- {
- "name": "ActingProcessGuid",
- "type": "string"
- },
- {
- "name": "ActingProcessId",
- "type": "string"
- },
- {
- "name": "ActingProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "ActingProcessInjectedAddress",
- "type": "string"
- },
- {
- "name": "ActingProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "ActingProcessIsHidden",
- "type": "boolean"
- },
- {
- "name": "ActingProcessMD5",
- "type": "string"
- },
- {
- "name": "ActingProcessName",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA1",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA256",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA512",
- "type": "string"
- },
- {
- "name": "ActingProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "ActorOriginalUserType",
- "type": "string"
- },
- {
- "name": "ActorScope",
- "type": "string"
- },
- {
- "name": "ActorScopeId",
- "type": "string"
- },
- {
- "name": "ActorSessionId",
- "type": "string"
- },
- {
- "name": "ActorUserAadId",
- "type": "string"
- },
- {
- "name": "ActorUserId",
- "type": "string"
- },
- {
- "name": "ActorUserIdType",
- "type": "string"
- },
- {
- "name": "ActorUsername",
- "type": "string"
- },
- {
- "name": "ActorUsernameType",
- "type": "string"
- },
- {
- "name": "ActorUserSid",
- "type": "string"
- },
- {
- "name": "ActorUserType",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "DhcpCircuitId",
- "type": "string"
- },
- {
- "name": "DhcpLeaseDuration",
- "type": "int"
- },
- {
- "name": "DhcpSessionDuration",
- "type": "int"
- },
- {
- "name": "DhcpSessionId",
- "type": "string"
- },
- {
- "name": "DhcpSrcDHCId",
- "type": "string"
- },
- {
- "name": "DhcpSubscriberId",
- "type": "string"
- },
- {
- "name": "DhcpUserClass",
- "type": "string"
- },
- {
- "name": "DhcpUserClassId",
- "type": "string"
- },
- {
- "name": "DhcpVendorClass",
- "type": "string"
- },
- {
- "name": "DhcpVendorClassId",
- "type": "string"
- },
- {
- "name": "DnsFlags",
- "type": "string"
- },
- {
- "name": "DnsFlagsAuthenticated",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsAuthoritative",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsCheckingDisabled",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsRecursionAvailable",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsRecursionDesired",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsTruncated",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsZ",
- "type": "boolean"
- },
- {
- "name": "DnsNetworkDuration",
+ "name": "activity_id",
"type": "int"
},
{
- "name": "DnsQuery",
+ "name": "activity_name",
"type": "string"
},
{
- "name": "DnsQueryClass",
+ "name": "category_uid",
"type": "int"
},
{
- "name": "DnsQueryClassName",
+ "name": "category_name",
"type": "string"
},
{
- "name": "DnsQueryType",
+ "name": "class_uid",
"type": "int"
},
{
- "name": "DnsQueryTypeName",
+ "name": "class_name",
"type": "string"
},
{
- "name": "DnsResponseCode",
+ "name": "severity_id",
"type": "int"
},
{
- "name": "DnsResponseIpCity",
- "type": "string"
- },
- {
- "name": "DnsResponseIpCountry",
- "type": "string"
- },
- {
- "name": "DnsResponseIpLatitude",
- "type": "real"
- },
- {
- "name": "DnsResponseIpLongitude",
- "type": "real"
- },
- {
- "name": "DnsResponseIpRegion",
- "type": "string"
- },
- {
- "name": "DnsResponseName",
- "type": "string"
- },
- {
- "name": "DnsSessionId",
- "type": "string"
- },
- {
- "name": "Dst",
- "type": "string"
- },
- {
- "name": "DstAppId",
- "type": "string"
- },
- {
- "name": "DstAppName",
- "type": "string"
- },
- {
- "name": "DstAppType",
+ "name": "severity",
"type": "string"
},
{
- "name": "DstBytes",
+ "name": "time",
"type": "long"
},
{
- "name": "DstDescription",
- "type": "string"
+ "name": "type_uid",
+ "type": "long"
},
{
- "name": "DstDeviceType",
+ "name": "type_name",
"type": "string"
},
{
- "name": "DstDomain",
+ "name": "message",
"type": "string"
},
{
- "name": "DstDomainType",
+ "name": "raw_data",
"type": "string"
},
{
- "name": "DstDvcId",
- "type": "string"
+ "name": "status_id",
+ "type": "int"
},
{
- "name": "DstDvcIdType",
+ "name": "status",
"type": "string"
},
{
- "name": "DstDvcScope",
- "type": "string"
+ "name": "action_id",
+ "type": "int"
},
{
- "name": "DstDvcScopeId",
+ "name": "action",
"type": "string"
},
{
- "name": "DstFQDN",
- "type": "string"
+ "name": "disposition_id",
+ "type": "int"
},
{
- "name": "DstGeoCity",
+ "name": "disposition",
"type": "string"
},
{
- "name": "DstGeoCountry",
+ "name": "rcode",
"type": "string"
},
{
- "name": "DstGeoLatitude",
- "type": "real"
+ "name": "rcode_id",
+ "type": "int"
},
{
- "name": "DstGeoLongitude",
- "type": "real"
+ "name": "metadata",
+ "type": "dynamic"
},
{
- "name": "DstGeoRegion",
- "type": "string"
+ "name": "unmapped",
+ "type": "dynamic"
},
{
- "name": "DstHostname",
- "type": "string"
+ "name": "actor",
+ "type": "dynamic"
},
{
- "name": "DstInterfaceGuid",
- "type": "string"
+ "name": "device",
+ "type": "dynamic"
},
{
- "name": "DstInterfaceName",
- "type": "string"
+ "name": "file",
+ "type": "dynamic"
},
{
- "name": "DstIpAddr",
- "type": "string"
+ "name": "process",
+ "type": "dynamic"
},
{
- "name": "DstMacAddr",
- "type": "string"
+ "name": "user",
+ "type": "dynamic"
},
{
- "name": "DstNatIpAddr",
- "type": "string"
+ "name": "dst_endpoint",
+ "type": "dynamic"
},
{
- "name": "DstNatPortNumber",
- "type": "int"
+ "name": "src_endpoint",
+ "type": "dynamic"
},
{
- "name": "DstOriginalRiskLevel",
- "type": "string"
+ "name": "query",
+ "type": "dynamic"
},
{
- "name": "DstOriginalUserType",
- "type": "string"
+ "name": "answers",
+ "type": "dynamic"
},
{
- "name": "DstPackets",
- "type": "long"
+ "name": "driver",
+ "type": "dynamic"
},
{
- "name": "DstPortNumber",
- "type": "int"
+ "name": "module",
+ "type": "dynamic"
},
{
- "name": "DstRiskLevel",
- "type": "int"
- },
- {
- "name": "DstSubscriptionId",
- "type": "string"
- },
- {
- "name": "DstUserId",
- "type": "string"
- },
- {
- "name": "DstUserIdType",
- "type": "string"
- },
- {
- "name": "DstUsername",
- "type": "string"
- },
- {
- "name": "DstUsernameType",
- "type": "string"
- },
- {
- "name": "DstUserType",
- "type": "string"
- },
- {
- "name": "DstVlanId",
- "type": "string"
- },
- {
- "name": "DstZone",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcDescription",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcInboundInterface",
- "type": "string"
- },
- {
- "name": "DvcInterface",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOriginalAction",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcOutboundInterface",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "DvcSubscriptionId",
- "type": "string"
- },
- {
- "name": "DvcZone",
- "type": "string"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSubType",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOwner",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventReportUrl",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "FileContentType",
- "type": "string"
- },
- {
- "name": "FileMD5",
- "type": "string"
- },
- {
- "name": "FileName",
- "type": "string"
- },
- {
- "name": "FileSHA1",
- "type": "string"
- },
- {
- "name": "FileSHA256",
- "type": "string"
- },
- {
- "name": "FileSHA512",
- "type": "string"
- },
- {
- "name": "FileSize",
- "type": "int"
- },
- {
- "name": "GroupId",
- "type": "string"
- },
- {
- "name": "GroupIdType",
- "type": "string"
- },
- {
- "name": "GroupName",
- "type": "string"
- },
- {
- "name": "GroupNameType",
- "type": "string"
- },
- {
- "name": "GroupOriginalType",
- "type": "string"
- },
- {
- "name": "GroupType",
- "type": "string"
- },
- {
- "name": "HashType",
- "type": "string"
- },
- {
- "name": "HttpContentFormat",
- "type": "string"
- },
- {
- "name": "HttpContentType",
- "type": "string"
- },
- {
- "name": "HttpHost",
- "type": "string"
- },
- {
- "name": "HttpReferrer",
- "type": "string"
- },
- {
- "name": "HttpRequestMethod",
- "type": "string"
- },
- {
- "name": "HttpRequestTime",
- "type": "int"
- },
- {
- "name": "HttpRequestXff",
- "type": "string"
- },
- {
- "name": "HttpResponseTime",
- "type": "int"
- },
- {
- "name": "HttpUserAgent",
- "type": "string"
- },
- {
- "name": "HttpVersion",
- "type": "string"
- },
- {
- "name": "LogonMethod",
- "type": "string"
- },
- {
- "name": "LogonProtocol",
- "type": "string"
- },
- {
- "name": "NetworkApplicationProtocol",
- "type": "string"
- },
- {
- "name": "NetworkBytes",
- "type": "long"
- },
- {
- "name": "NetworkConnectionHistory",
- "type": "string"
- },
- {
- "name": "NetworkDirection",
- "type": "string"
- },
- {
- "name": "NetworkDuration",
- "type": "int"
- },
- {
- "name": "NetworkIcmpCode",
- "type": "int"
- },
- {
- "name": "NetworkIcmpType",
- "type": "string"
- },
- {
- "name": "NetworkPackets",
- "type": "long"
- },
- {
- "name": "NetworkProtocol",
- "type": "string"
- },
- {
- "name": "NetworkProtocolVersion",
- "type": "string"
- },
- {
- "name": "NetworkRuleName",
- "type": "string"
- },
- {
- "name": "NetworkRuleNumber",
- "type": "int"
- },
- {
- "name": "NetworkSessionId",
- "type": "string"
- },
- {
- "name": "NewPropertyValue",
- "type": "string"
- },
- {
- "name": "NewValue",
- "type": "string"
- },
- {
- "name": "Object",
- "type": "string"
- },
- {
- "name": "ObjectId",
- "type": "string"
- },
- {
- "name": "ObjectType",
- "type": "string"
- },
- {
- "name": "OldValue",
- "type": "string"
- },
- {
- "name": "Operation",
- "type": "string"
- },
- {
- "name": "OriginalObjectType",
- "type": "string"
- },
- {
- "name": "ParentProcessCommandLine",
- "type": "string"
- },
- {
- "name": "ParentProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "ParentProcessFileCompany",
- "type": "string"
- },
- {
- "name": "ParentProcessFileDescription",
- "type": "string"
- },
- {
- "name": "ParentProcessFileProduct",
- "type": "string"
- },
- {
- "name": "ParentProcessFileVersion",
- "type": "string"
- },
- {
- "name": "ParentProcessGuid",
- "type": "string"
- },
- {
- "name": "ParentProcessId",
- "type": "string"
- },
- {
- "name": "ParentProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "ParentProcessInjectedAddress",
- "type": "string"
- },
- {
- "name": "ParentProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "ParentProcessIsHidden",
- "type": "boolean"
- },
- {
- "name": "ParentProcessMD5",
- "type": "string"
- },
- {
- "name": "ParentProcessName",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA1",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA256",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA512",
- "type": "string"
- },
- {
- "name": "ParentProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "PreviousPropertyValue",
- "type": "string"
- },
- {
- "name": "RegistryKey",
- "type": "string"
- },
- {
- "name": "RegistryPreviousKey",
- "type": "string"
- },
- {
- "name": "RegistryPreviousValue",
- "type": "string"
- },
- {
- "name": "RegistryPreviousValueData",
- "type": "string"
- },
- {
- "name": "RegistryPreviousValueType",
- "type": "string"
- },
- {
- "name": "RegistryValue",
- "type": "string"
- },
- {
- "name": "RegistryValueData",
- "type": "string"
- },
- {
- "name": "RegistryValueType",
- "type": "string"
- },
- {
- "name": "RequestedIpAddr",
- "type": "string"
- },
- {
- "name": "Rule",
- "type": "string"
- },
- {
- "name": "RuleName",
- "type": "string"
- },
- {
- "name": "RuleNumber",
- "type": "int"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- },
- {
- "name": "Src",
- "type": "string"
- },
- {
- "name": "SrcAppId",
- "type": "string"
- },
- {
- "name": "SrcAppName",
- "type": "string"
- },
- {
- "name": "SrcAppType",
- "type": "string"
- },
- {
- "name": "SrcBytes",
- "type": "long"
- },
- {
- "name": "SrcDescription",
- "type": "string"
- },
- {
- "name": "SrcDeviceType",
- "type": "string"
- },
- {
- "name": "SrcDomain",
- "type": "string"
- },
- {
- "name": "SrcDomainType",
- "type": "string"
- },
- {
- "name": "SrcDvcId",
- "type": "string"
- },
- {
- "name": "SrcDvcIdType",
- "type": "string"
- },
- {
- "name": "SrcDvcOs",
- "type": "string"
- },
- {
- "name": "SrcDvcScope",
- "type": "string"
- },
- {
- "name": "SrcDvcScopeId",
- "type": "string"
- },
- {
- "name": "SrcFileCreationTime",
- "type": "datetime"
- },
- {
- "name": "SrcFileDirectory",
- "type": "string"
- },
- {
- "name": "SrcFileExtension",
- "type": "string"
- },
- {
- "name": "SrcFileMD5",
- "type": "string"
- },
- {
- "name": "SrcFileMimeType",
- "type": "string"
- },
- {
- "name": "SrcFileName",
- "type": "string"
- },
- {
- "name": "SrcFilePath",
- "type": "string"
- },
- {
- "name": "SrcFilePathType",
- "type": "string"
- },
- {
- "name": "SrcFileSHA1",
- "type": "string"
- },
- {
- "name": "SrcFileSHA256",
- "type": "string"
- },
- {
- "name": "SrcFileSHA512",
- "type": "string"
- },
- {
- "name": "SrcFileSize",
- "type": "long"
- },
- {
- "name": "SrcFQDN",
- "type": "string"
- },
- {
- "name": "SrcGeoCity",
- "type": "string"
- },
- {
- "name": "SrcGeoCountry",
- "type": "string"
- },
- {
- "name": "SrcGeoLatitude",
- "type": "real"
- },
- {
- "name": "SrcGeoLongitude",
- "type": "real"
- },
- {
- "name": "SrcGeoRegion",
- "type": "string"
- },
- {
- "name": "SrcHostname",
- "type": "string"
- },
- {
- "name": "SrcInterfaceGuid",
- "type": "string"
- },
- {
- "name": "SrcInterfaceName",
- "type": "string"
- },
- {
- "name": "SrcIpAddr",
- "type": "string"
- },
- {
- "name": "SrcIsp",
- "type": "string"
- },
- {
- "name": "SrcMacAddr",
- "type": "string"
- },
- {
- "name": "SrcNatIpAddr",
- "type": "string"
- },
- {
- "name": "SrcNatPortNumber",
- "type": "int"
- },
- {
- "name": "SrcOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "SrcOriginalUserType",
- "type": "string"
- },
- {
- "name": "SrcPackets",
- "type": "long"
- },
- {
- "name": "SrcPortNumber",
- "type": "int"
- },
- {
- "name": "SrcProcessGuid",
- "type": "string"
- },
- {
- "name": "SrcProcessId",
- "type": "string"
- },
- {
- "name": "SrcProcessName",
- "type": "string"
- },
- {
- "name": "SrcRiskLevel",
- "type": "int"
- },
- {
- "name": "SrcSubscriptionId",
- "type": "string"
- },
- {
- "name": "SrcUserId",
- "type": "string"
- },
- {
- "name": "SrcUserIdType",
- "type": "string"
- },
- {
- "name": "SrcUsername",
- "type": "string"
- },
- {
- "name": "SrcUsernameType",
- "type": "string"
- },
- {
- "name": "SrcUserScope",
- "type": "string"
- },
- {
- "name": "SrcUserScopeId",
- "type": "string"
- },
- {
- "name": "SrcUserSessionId",
- "type": "string"
- },
- {
- "name": "SrcUserType",
- "type": "string"
- },
- {
- "name": "SrcUserUid",
- "type": "string"
- },
- {
- "name": "SrcVlanId",
- "type": "string"
- },
- {
- "name": "SrcZone",
- "type": "string"
- },
- {
- "name": "TargetAppId",
- "type": "string"
- },
- {
- "name": "TargetAppName",
- "type": "string"
- },
- {
- "name": "TargetAppType",
- "type": "string"
- },
- {
- "name": "TargetDescription",
- "type": "string"
- },
- {
- "name": "TargetDeviceType",
- "type": "string"
- },
- {
- "name": "TargetDomain",
- "type": "string"
- },
- {
- "name": "TargetDomainType",
- "type": "string"
- },
- {
- "name": "TargetDvcId",
- "type": "string"
- },
- {
- "name": "TargetDvcIdType",
- "type": "string"
- },
- {
- "name": "TargetDvcOs",
- "type": "string"
- },
- {
- "name": "TargetDvcScope",
- "type": "string"
- },
- {
- "name": "TargetDvcScopeId",
- "type": "string"
- },
- {
- "name": "TargetFileCreationTime",
- "type": "datetime"
- },
- {
- "name": "TargetFileDirectory",
- "type": "string"
- },
- {
- "name": "TargetFileExtension",
- "type": "string"
- },
- {
- "name": "TargetFileMD5",
- "type": "string"
- },
- {
- "name": "TargetFileMimeType",
- "type": "string"
- },
- {
- "name": "TargetFileName",
- "type": "string"
- },
- {
- "name": "TargetFilePath",
- "type": "string"
- },
- {
- "name": "TargetFilePathType",
- "type": "string"
- },
- {
- "name": "TargetFileSHA1",
- "type": "string"
- },
- {
- "name": "TargetFileSHA256",
- "type": "string"
- },
- {
- "name": "TargetFileSHA512",
- "type": "string"
- },
- {
- "name": "TargetFileSize",
- "type": "long"
- },
- {
- "name": "TargetFQDN",
- "type": "string"
- },
- {
- "name": "TargetGeoCity",
- "type": "string"
- },
- {
- "name": "TargetGeoCountry",
- "type": "string"
- },
- {
- "name": "TargetGeoLatitude",
- "type": "real"
- },
- {
- "name": "TargetGeoLongitude",
- "type": "real"
- },
- {
- "name": "TargetGeoRegion",
- "type": "string"
- },
- {
- "name": "TargetHostname",
- "type": "string"
- },
- {
- "name": "TargetIpAddr",
- "type": "string"
- },
- {
- "name": "TargetOriginalAppType",
- "type": "string"
- },
- {
- "name": "TargetOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "TargetOriginalUserType",
- "type": "string"
- },
- {
- "name": "TargetPortNumber",
- "type": "int"
- },
- {
- "name": "TargetProcessCommandLine",
- "type": "string"
- },
- {
- "name": "TargetProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "TargetProcessCurrentDirectory",
- "type": "string"
- },
- {
- "name": "TargetProcessFileCompany",
- "type": "string"
- },
- {
- "name": "TargetProcessFileDescription",
- "type": "string"
- },
- {
- "name": "TargetProcessFileInternalName",
- "type": "string"
- },
- {
- "name": "TargetProcessFilename",
- "type": "string"
- },
- {
- "name": "TargetProcessFileOriginalName",
- "type": "string"
- },
- {
- "name": "TargetProcessFileProduct",
- "type": "string"
- },
- {
- "name": "TargetProcessFileSize",
- "type": "long"
- },
- {
- "name": "TargetProcessFileVersion",
- "type": "string"
- },
- {
- "name": "TargetProcessGuid",
- "type": "string"
- },
- {
- "name": "TargetProcessId",
- "type": "string"
- },
- {
- "name": "TargetProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "TargetProcessInjectedAddress",
- "type": "string"
- },
- {
- "name": "TargetProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "TargetProcessIsHidden",
- "type": "boolean"
- },
- {
- "name": "TargetProcessMD5",
- "type": "string"
- },
- {
- "name": "TargetProcessName",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA1",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA256",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA512",
- "type": "string"
- },
- {
- "name": "TargetProcessStatusCode",
- "type": "string"
- },
- {
- "name": "TargetProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "TargetRiskLevel",
- "type": "int"
- },
- {
- "name": "TargetScope",
- "type": "string"
- },
- {
- "name": "TargetScopeId",
- "type": "string"
- },
- {
- "name": "TargetSessionId",
- "type": "string"
- },
- {
- "name": "TargetUrl",
- "type": "string"
- },
- {
- "name": "TargetUserId",
- "type": "string"
- },
- {
- "name": "TargetUserIdType",
- "type": "string"
- },
- {
- "name": "TargetUsername",
- "type": "string"
- },
- {
- "name": "TargetUsernameType",
- "type": "string"
- },
- {
- "name": "TargetUserScope",
- "type": "string"
- },
- {
- "name": "TargetUserScopeId",
- "type": "string"
- },
- {
- "name": "TargetUserSessionGuid",
- "type": "string"
- },
- {
- "name": "TargetUserSessionId",
- "type": "string"
- },
- {
- "name": "TargetUserType",
- "type": "string"
- },
- {
- "name": "TargetUserUid",
- "type": "string"
- },
- {
- "name": "TcpFlagsAck",
- "type": "boolean"
- },
- {
- "name": "TcpFlagsFin",
- "type": "boolean"
- },
- {
- "name": "TcpFlagsPsh",
- "type": "boolean"
- },
- {
- "name": "TcpFlagsRst",
- "type": "boolean"
- },
- {
- "name": "TcpFlagsSyn",
- "type": "boolean"
- },
- {
- "name": "TcpFlagsUrg",
- "type": "boolean"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "ThreatFilePath",
- "type": "string"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatFirstReportedTime_d",
- "type": "datetime"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatIpAddr",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime_d",
- "type": "datetime"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatOriginalRiskLevel_s",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "TransactionIdHex",
- "type": "string"
- },
- {
- "name": "Type",
- "type": "string"
- },
- {
- "name": "Url",
- "type": "string"
- },
- {
- "name": "UrlCategory",
- "type": "string"
- },
- {
- "name": "UrlOriginal",
- "type": "string"
- },
- {
- "name": "ValueType",
- "type": "string"
- }
- ]
- }
- },
- "destinations": {
- "logAnalytics": [
- {
- "workspaceResourceId": "[variables('workspaceResourceId')]",
- "name": "clv2ws1"
- }
- ]
- },
- "dataFlows": [
- {
- "streams": [
- "Custom-Halcyon"
- ],
- "destinations": [
- "clv2ws1"
- ],
- "transformKql": "source | where EventSchema=='Authentication'",
- "outputStream": "Custom-HalcyonAuthenticationEvents_CL"
- },
- {
- "streams": [
- "Custom-Halcyon"
- ],
- "destinations": [
- "clv2ws1"
- ],
- "transformKql": "source | where EventSchema=='Dns'",
- "outputStream": "Custom-HalcyonDnsActivity_CL"
- },
- {
- "streams": [
- "Custom-Halcyon"
- ],
- "destinations": [
- "clv2ws1"
- ],
- "transformKql": "source | where EventSchema=='FileEvent'",
- "outputStream": "Custom-HalcyonFileActivity_CL"
- },
- {
- "streams": [
- "Custom-Halcyon"
- ],
- "destinations": [
- "clv2ws1"
- ],
- "transformKql": "source | where EventSchema=='NetworkSession'",
- "outputStream": "Custom-HalcyonNetworkSession_CL"
- },
- {
- "streams": [
- "Custom-Halcyon"
- ],
- "destinations": [
- "clv2ws1"
- ],
- "transformKql": "source | where EventSchema=='ProcessEvent'",
- "outputStream": "Custom-HalcyonProcessEvent_CL"
- }
- ]
- }
- },
- {
- "name": "HalcyonAuthenticationEvents_CL",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "location": "[parameters('workspace-location')]",
- "kind": null,
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "HalcyonAuthenticationEvents_CL",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "EventOwner",
- "type": "string"
- },
- {
- "name": "EventReportUrl",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcOriginalAction",
- "type": "string"
- },
- {
- "name": "DvcDescription",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "DvcZone",
- "type": "string"
- },
- {
- "name": "LogonMethod",
- "type": "string"
- },
- {
- "name": "LogonProtocol",
- "type": "string"
- },
- {
- "name": "ActorUsername",
- "type": "string"
- },
- {
- "name": "ActorUsernameType",
- "type": "string"
- },
- {
- "name": "ActorUserId",
- "type": "string"
- },
- {
- "name": "ActorUserIdType",
- "type": "string"
- },
- {
- "name": "ActorUserType",
- "type": "string"
- },
- {
- "name": "ActorOriginalUserType",
- "type": "string"
- },
- {
- "name": "ActorScope",
- "type": "string"
- },
- {
- "name": "ActorScopeId",
- "type": "string"
- },
- {
- "name": "ActorUserSid",
- "type": "string"
- },
- {
- "name": "ActorUserAadId",
- "type": "string"
- },
- {
- "name": "ActorSessionId",
- "type": "string"
- },
- {
- "name": "TargetUsername",
- "type": "string"
- },
- {
- "name": "TargetUsernameType",
- "type": "string"
- },
- {
- "name": "TargetUserId",
- "type": "string"
- },
- {
- "name": "TargetUserIdType",
- "type": "string"
- },
- {
- "name": "TargetUserType",
- "type": "string"
- },
- {
- "name": "TargetOriginalUserType",
- "type": "string"
- },
- {
- "name": "TargetUserScope",
- "type": "string"
- },
- {
- "name": "TargetUserScopeId",
- "type": "string"
- },
- {
- "name": "TargetSessionId",
- "type": "string"
- },
- {
- "name": "TargetUserSessionId",
- "type": "string"
- },
- {
- "name": "TargetUserSessionGuid",
- "type": "string"
- },
- {
- "name": "TargetAppName",
- "type": "string"
- },
- {
- "name": "TargetAppId",
- "type": "string"
- },
- {
- "name": "TargetAppType",
- "type": "string"
- },
- {
- "name": "TargetOriginalAppType",
- "type": "string"
- },
- {
- "name": "TargetUrl",
- "type": "string"
- },
- {
- "name": "TargetHostname",
- "type": "string"
- },
- {
- "name": "TargetDomain",
- "type": "string"
- },
- {
- "name": "TargetDomainType",
- "type": "string"
- },
- {
- "name": "TargetFQDN",
- "type": "string"
- },
- {
- "name": "TargetDescription",
- "type": "string"
- },
- {
- "name": "TargetDvcId",
- "type": "string"
- },
- {
- "name": "TargetDvcIdType",
- "type": "string"
- },
- {
- "name": "TargetDvcOs",
- "type": "string"
- },
- {
- "name": "TargetPortNumber",
- "type": "int"
- },
- {
- "name": "TargetIpAddr",
- "type": "string"
- },
- {
- "name": "TargetGeoCity",
- "type": "string"
- },
- {
- "name": "TargetGeoCountry",
- "type": "string"
- },
- {
- "name": "TargetGeoLatitude",
- "type": "real"
- },
- {
- "name": "TargetGeoLongitude",
- "type": "real"
- },
- {
- "name": "TargetGeoRegion",
- "type": "string"
- },
- {
- "name": "SrcIpAddr",
- "type": "string"
- },
- {
- "name": "SrcPortNumber",
- "type": "int"
- },
- {
- "name": "SrcHostname",
- "type": "string"
- },
- {
- "name": "SrcDomain",
- "type": "string"
- },
- {
- "name": "SrcDomainType",
- "type": "string"
- },
- {
- "name": "SrcFQDN",
- "type": "string"
- },
- {
- "name": "SrcDescription",
- "type": "string"
- },
- {
- "name": "SrcDvcId",
- "type": "string"
- },
- {
- "name": "SrcDvcIdType",
- "type": "string"
- },
- {
- "name": "SrcDvcOs",
- "type": "string"
- },
- {
- "name": "SrcIsp",
- "type": "string"
- },
- {
- "name": "SrcGeoCity",
- "type": "string"
- },
- {
- "name": "SrcGeoCountry",
- "type": "string"
- },
- {
- "name": "SrcGeoLatitude",
- "type": "real"
- },
- {
- "name": "SrcGeoLongitude",
- "type": "real"
- },
- {
- "name": "SrcGeoRegion",
- "type": "string"
- },
- {
- "name": "HttpUserAgent",
- "type": "string"
- },
- {
- "name": "HttpRequestMethod",
- "type": "string"
- },
- {
- "name": "RuleName",
- "type": "string"
- },
- {
- "name": "RuleNumber",
- "type": "int"
- },
- {
- "name": "Rule",
- "type": "string"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatIpAddr",
- "type": "string"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- }
- ]
- }
- }
- },
- {
- "name": "HalcyonDnsActivity_CL",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "location": "[parameters('workspace-location')]",
- "kind": null,
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "HalcyonDnsActivity_CL",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcDescription",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "DvcZone",
- "type": "string"
- },
- {
- "name": "Src",
- "type": "string"
- },
- {
- "name": "SrcIpAddr",
- "type": "string"
- },
- {
- "name": "SrcPortNumber",
- "type": "int"
- },
- {
- "name": "SrcHostname",
- "type": "string"
- },
- {
- "name": "SrcDomain",
- "type": "string"
- },
- {
- "name": "SrcDomainType",
- "type": "string"
- },
- {
- "name": "SrcFQDN",
- "type": "string"
- },
- {
- "name": "SrcDvcId",
- "type": "string"
- },
- {
- "name": "SrcDvcIdType",
- "type": "string"
- },
- {
- "name": "SrcDvcOs",
- "type": "string"
- },
- {
- "name": "SrcGeoCity",
- "type": "string"
- },
- {
- "name": "SrcGeoCountry",
- "type": "string"
- },
- {
- "name": "SrcGeoLatitude",
- "type": "real"
- },
- {
- "name": "SrcGeoLongitude",
- "type": "real"
- },
- {
- "name": "SrcGeoRegion",
- "type": "string"
- },
- {
- "name": "SrcUserId",
- "type": "string"
- },
- {
- "name": "SrcUserIdType",
- "type": "string"
- },
- {
- "name": "SrcUsername",
- "type": "string"
- },
- {
- "name": "SrcUsernameType",
- "type": "string"
- },
- {
- "name": "SrcUserType",
- "type": "string"
- },
- {
- "name": "SrcProcessName",
- "type": "string"
- },
- {
- "name": "SrcProcessId",
- "type": "string"
- },
- {
- "name": "SrcProcessGuid",
- "type": "string"
- },
- {
- "name": "DstIpAddr",
- "type": "string"
- },
- {
- "name": "DstPortNumber",
- "type": "int"
- },
- {
- "name": "DstHostname",
- "type": "string"
- },
- {
- "name": "DstDomain",
- "type": "string"
- },
- {
- "name": "DstDomainType",
- "type": "string"
- },
- {
- "name": "DstFQDN",
- "type": "string"
- },
- {
- "name": "DstDvcId",
- "type": "string"
- },
- {
- "name": "DstDvcIdType",
- "type": "string"
- },
- {
- "name": "DstGeoCity",
- "type": "string"
- },
- {
- "name": "DstGeoCountry",
- "type": "string"
- },
- {
- "name": "DstGeoLatitude",
- "type": "real"
- },
- {
- "name": "DstGeoLongitude",
- "type": "real"
- },
- {
- "name": "DstGeoRegion",
- "type": "string"
- },
- {
- "name": "DnsQuery",
- "type": "string"
- },
- {
- "name": "DnsQueryType",
- "type": "int"
- },
- {
- "name": "DnsQueryTypeName",
- "type": "string"
- },
- {
- "name": "DnsQueryClass",
- "type": "int"
- },
- {
- "name": "DnsQueryClassName",
- "type": "string"
- },
- {
- "name": "DnsResponseCode",
- "type": "int"
- },
- {
- "name": "DnsResponseName",
- "type": "string"
- },
- {
- "name": "DnsResponseIpCity",
- "type": "string"
- },
- {
- "name": "DnsResponseIpCountry",
- "type": "string"
- },
- {
- "name": "DnsResponseIpLatitude",
- "type": "real"
- },
- {
- "name": "DnsResponseIpLongitude",
- "type": "real"
- },
- {
- "name": "DnsResponseIpRegion",
- "type": "string"
- },
- {
- "name": "DnsFlags",
- "type": "string"
- },
- {
- "name": "DnsFlagsAuthenticated",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsAuthoritative",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsCheckingDisabled",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsRecursionAvailable",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsRecursionDesired",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsTruncated",
- "type": "boolean"
- },
- {
- "name": "DnsFlagsZ",
- "type": "boolean"
- },
- {
- "name": "DnsNetworkDuration",
- "type": "int"
- },
- {
- "name": "DnsSessionId",
- "type": "string"
- },
- {
- "name": "TransactionIdHex",
- "type": "string"
- },
- {
- "name": "NetworkProtocol",
- "type": "string"
- },
- {
- "name": "NetworkProtocolVersion",
- "type": "string"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatIpAddr",
- "type": "string"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- }
- ]
- }
- }
- },
- {
- "name": "HalcyonFileActivity_CL",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "location": "[parameters('workspace-location')]",
- "kind": null,
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "HalcyonFileActivity_CL",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcOriginalAction",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "ActorUsername",
- "type": "string"
- },
- {
- "name": "ActorUsernameType",
- "type": "string"
- },
- {
- "name": "ActorUserId",
- "type": "string"
- },
- {
- "name": "ActorUserIdType",
- "type": "string"
- },
- {
- "name": "ActorUserType",
- "type": "string"
- },
- {
- "name": "ActorScope",
- "type": "string"
- },
- {
- "name": "ActorScopeId",
- "type": "string"
- },
- {
- "name": "ActorSessionId",
- "type": "string"
- },
- {
- "name": "ActingProcessName",
- "type": "string"
- },
- {
- "name": "ActingProcessId",
- "type": "string"
- },
- {
- "name": "ActingProcessGuid",
- "type": "string"
- },
- {
- "name": "ActingProcessCommandLine",
- "type": "string"
- },
- {
- "name": "ActingProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "ActingProcessFileCompany",
- "type": "string"
- },
- {
- "name": "ActingProcessFileDescription",
- "type": "string"
- },
- {
- "name": "ActingProcessFileProduct",
- "type": "string"
- },
- {
- "name": "ActingProcessFileVersion",
- "type": "string"
- },
- {
- "name": "ActingProcessFileSize",
- "type": "long"
- },
- {
- "name": "ActingProcessMD5",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA1",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA256",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA512",
- "type": "string"
- },
- {
- "name": "ActingProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "ActingProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "ActingProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "TargetFileName",
- "type": "string"
- },
- {
- "name": "TargetFilePath",
- "type": "string"
- },
- {
- "name": "TargetFilePathType",
- "type": "string"
- },
- {
- "name": "TargetFileDirectory",
- "type": "string"
- },
- {
- "name": "TargetFileExtension",
- "type": "string"
- },
- {
- "name": "TargetFileMimeType",
- "type": "string"
- },
- {
- "name": "TargetFileCreationTime",
- "type": "datetime"
- },
- {
- "name": "TargetFileSize",
- "type": "long"
- },
- {
- "name": "TargetFileMD5",
- "type": "string"
- },
- {
- "name": "TargetFileSHA1",
- "type": "string"
- },
- {
- "name": "TargetFileSHA256",
- "type": "string"
- },
- {
- "name": "TargetFileSHA512",
- "type": "string"
- },
- {
- "name": "SrcFileName",
- "type": "string"
- },
- {
- "name": "SrcFilePath",
- "type": "string"
- },
- {
- "name": "SrcFilePathType",
- "type": "string"
- },
- {
- "name": "SrcFileDirectory",
- "type": "string"
- },
- {
- "name": "SrcFileExtension",
- "type": "string"
- },
- {
- "name": "SrcFileMimeType",
- "type": "string"
- },
- {
- "name": "SrcFileCreationTime",
- "type": "datetime"
- },
- {
- "name": "SrcFileSize",
- "type": "long"
- },
- {
- "name": "SrcFileMD5",
- "type": "string"
- },
- {
- "name": "SrcFileSHA1",
- "type": "string"
- },
- {
- "name": "SrcFileSHA256",
- "type": "string"
- },
- {
- "name": "SrcFileSHA512",
- "type": "string"
- },
- {
- "name": "HashType",
- "type": "string"
- },
- {
- "name": "FileMD5",
- "type": "string"
- },
- {
- "name": "FileSHA1",
- "type": "string"
- },
- {
- "name": "FileSHA256",
- "type": "string"
- },
- {
- "name": "FileSHA512",
- "type": "string"
- },
- {
- "name": "FileContentType",
- "type": "string"
- },
- {
- "name": "FileSize",
- "type": "int"
- },
- {
- "name": "FileName",
- "type": "string"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatFilePath",
- "type": "string"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- }
- ]
- }
- }
- },
- {
- "name": "HalcyonNetworkSession_CL",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "location": "[parameters('workspace-location')]",
- "kind": null,
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "HalcyonNetworkSession_CL",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcOriginalAction",
- "type": "string"
- },
- {
- "name": "DvcDescription",
- "type": "string"
- },
- {
- "name": "DvcInterface",
- "type": "string"
- },
- {
- "name": "DvcZone",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "Src",
- "type": "string"
- },
- {
- "name": "SrcIpAddr",
- "type": "string"
- },
- {
- "name": "SrcPortNumber",
- "type": "int"
- },
- {
- "name": "SrcHostname",
- "type": "string"
- },
- {
- "name": "SrcDomain",
- "type": "string"
- },
- {
- "name": "SrcDomainType",
- "type": "string"
- },
- {
- "name": "SrcFQDN",
- "type": "string"
- },
- {
- "name": "SrcDvcId",
- "type": "string"
- },
- {
- "name": "SrcDvcIdType",
- "type": "string"
- },
- {
- "name": "SrcDvcScopeId",
- "type": "string"
- },
- {
- "name": "SrcDvcScope",
- "type": "string"
- },
- {
- "name": "SrcDeviceType",
- "type": "string"
- },
- {
- "name": "SrcUserId",
- "type": "string"
- },
- {
- "name": "SrcUserIdType",
- "type": "string"
- },
- {
- "name": "SrcUsername",
- "type": "string"
- },
- {
- "name": "SrcUsernameType",
- "type": "string"
- },
- {
- "name": "SrcUserType",
- "type": "string"
- },
- {
- "name": "SrcOriginalUserType",
- "type": "string"
- },
- {
- "name": "SrcUserScope",
- "type": "string"
- },
- {
- "name": "SrcUserScopeId",
- "type": "string"
- },
- {
- "name": "SrcMacAddr",
- "type": "string"
- },
- {
- "name": "SrcDvcOs",
- "type": "string"
- },
- {
- "name": "SrcIsp",
- "type": "string"
- },
- {
- "name": "SrcGeoCity",
- "type": "string"
- },
- {
- "name": "SrcGeoCountry",
- "type": "string"
- },
- {
- "name": "SrcGeoLatitude",
- "type": "real"
- },
- {
- "name": "SrcGeoLongitude",
- "type": "real"
- },
- {
- "name": "SrcGeoRegion",
- "type": "string"
- },
- {
- "name": "SrcRiskLevel",
- "type": "int"
- },
- {
- "name": "SrcOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "SrcProcessName",
- "type": "string"
- },
- {
- "name": "SrcProcessId",
- "type": "string"
- },
- {
- "name": "SrcProcessGuid",
- "type": "string"
- },
- {
- "name": "SrcAppName",
- "type": "string"
- },
- {
- "name": "SrcAppId",
- "type": "string"
- },
- {
- "name": "SrcAppType",
- "type": "string"
- },
- {
- "name": "SrcZone",
- "type": "string"
- },
- {
- "name": "SrcInterfaceName",
- "type": "string"
- },
- {
- "name": "SrcInterfaceGuid",
- "type": "string"
- },
- {
- "name": "SrcVlanId",
- "type": "string"
- },
- {
- "name": "SrcSubscriptionId",
- "type": "string"
- },
- {
- "name": "Dst",
- "type": "string"
- },
- {
- "name": "DstIpAddr",
- "type": "string"
- },
- {
- "name": "DstPortNumber",
- "type": "int"
- },
- {
- "name": "DstHostname",
- "type": "string"
- },
- {
- "name": "DstDomain",
- "type": "string"
- },
- {
- "name": "DstDomainType",
- "type": "string"
- },
- {
- "name": "DstFQDN",
- "type": "string"
- },
- {
- "name": "DstDvcId",
- "type": "string"
- },
- {
- "name": "DstDvcIdType",
- "type": "string"
- },
- {
- "name": "DstDvcScopeId",
- "type": "string"
- },
- {
- "name": "DstDvcScope",
- "type": "string"
- },
- {
- "name": "DstDeviceType",
- "type": "string"
- },
- {
- "name": "DstUserId",
- "type": "string"
- },
- {
- "name": "DstUserIdType",
- "type": "string"
- },
- {
- "name": "DstUsername",
- "type": "string"
- },
- {
- "name": "DstUsernameType",
- "type": "string"
- },
- {
- "name": "DstUserType",
- "type": "string"
- },
- {
- "name": "DstOriginalUserType",
- "type": "string"
- },
- {
- "name": "DstUserScope",
- "type": "string"
- },
- {
- "name": "DstUserScopeId",
- "type": "string"
- },
- {
- "name": "DstMacAddr",
- "type": "string"
- },
- {
- "name": "DstDvcOs",
- "type": "string"
- },
- {
- "name": "DstIsp",
- "type": "string"
- },
- {
- "name": "DstGeoCity",
- "type": "string"
- },
- {
- "name": "DstGeoCountry",
- "type": "string"
- },
- {
- "name": "DstGeoLatitude",
- "type": "real"
- },
- {
- "name": "DstGeoLongitude",
- "type": "real"
- },
- {
- "name": "DstGeoRegion",
- "type": "string"
- },
- {
- "name": "DstRiskLevel",
- "type": "int"
- },
- {
- "name": "DstOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "DstProcessName",
- "type": "string"
- },
- {
- "name": "DstProcessId",
- "type": "string"
- },
- {
- "name": "DstProcessGuid",
- "type": "string"
- },
- {
- "name": "DstAppName",
- "type": "string"
- },
- {
- "name": "DstAppId",
- "type": "string"
- },
- {
- "name": "DstAppType",
- "type": "string"
- },
- {
- "name": "DstZone",
- "type": "string"
- },
- {
- "name": "DstInterfaceName",
- "type": "string"
- },
- {
- "name": "DstInterfaceGuid",
- "type": "string"
- },
- {
- "name": "DstVlanId",
- "type": "string"
- },
- {
- "name": "DstSubscriptionId",
- "type": "string"
- },
- {
- "name": "NetworkApplicationProtocol",
- "type": "string"
- },
- {
- "name": "NetworkProtocol",
- "type": "string"
- },
- {
- "name": "NetworkProtocolVersion",
- "type": "string"
- },
- {
- "name": "NetworkDirection",
- "type": "string"
- },
- {
- "name": "NetworkDuration",
- "type": "int"
- },
- {
- "name": "NetworkIcmpCode",
- "type": "int"
- },
- {
- "name": "NetworkIcmpType",
- "type": "string"
- },
- {
- "name": "NetworkConnectionHistory",
- "type": "string"
- },
- {
- "name": "DstBytes",
- "type": "long"
- },
- {
- "name": "SrcBytes",
- "type": "long"
- },
- {
- "name": "NetworkBytes",
- "type": "long"
- },
- {
- "name": "DstPackets",
- "type": "long"
- },
- {
- "name": "SrcPackets",
- "type": "long"
- },
- {
- "name": "NetworkPackets",
- "type": "long"
- },
- {
- "name": "NetworkSessionId",
- "type": "string"
- },
- {
- "name": "SessionId",
- "type": "string"
- },
- {
- "name": "SrcNatIpAddr",
- "type": "string"
- },
- {
- "name": "SrcNatPortNumber",
- "type": "int"
- },
- {
- "name": "DstNatIpAddr",
- "type": "string"
- },
- {
- "name": "DstNatPortNumber",
- "type": "int"
- },
- {
- "name": "TcpFlags",
- "type": "string"
- },
- {
- "name": "SrcVmName",
- "type": "string"
- },
- {
- "name": "DstVmName",
- "type": "string"
- },
- {
- "name": "NetworkRuleName",
- "type": "string"
- },
- {
- "name": "NetworkRuleNumber",
- "type": "int"
- },
- {
- "name": "Rule",
- "type": "string"
- },
- {
- "name": "RuleName",
- "type": "string"
- },
- {
- "name": "RuleNumber",
- "type": "int"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatIpAddr",
- "type": "string"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- }
- ]
- }
- }
- },
- {
- "name": "HalcyonProcessEvent_CL",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "location": "[parameters('workspace-location')]",
- "kind": null,
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "HalcyonProcessEvent_CL",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "datetime"
- },
- {
- "name": "EventCount",
- "type": "int"
- },
- {
- "name": "EventStartTime",
- "type": "datetime"
- },
- {
- "name": "EventEndTime",
- "type": "datetime"
- },
- {
- "name": "EventType",
- "type": "string"
- },
- {
- "name": "EventSubType",
- "type": "string"
- },
- {
- "name": "EventResult",
- "type": "string"
- },
- {
- "name": "EventResultDetails",
- "type": "string"
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "string"
- },
- {
- "name": "EventSeverity",
- "type": "string"
- },
- {
- "name": "EventOriginalSeverity",
- "type": "string"
- },
- {
- "name": "EventProduct",
- "type": "string"
- },
- {
- "name": "EventProductVersion",
- "type": "string"
- },
- {
- "name": "EventVendor",
- "type": "string"
- },
- {
- "name": "EventSchema",
- "type": "string"
- },
- {
- "name": "EventSchemaVersion",
- "type": "string"
- },
- {
- "name": "EventOriginalUid",
- "type": "string"
- },
- {
- "name": "EventOriginalType",
- "type": "string"
- },
- {
- "name": "EventMessage",
- "type": "string"
- },
- {
- "name": "Dvc",
- "type": "string"
- },
- {
- "name": "DvcHostname",
- "type": "string"
- },
- {
- "name": "DvcIpAddr",
- "type": "string"
- },
- {
- "name": "DvcDomain",
- "type": "string"
- },
- {
- "name": "DvcDomainType",
- "type": "string"
- },
- {
- "name": "DvcFQDN",
- "type": "string"
- },
- {
- "name": "DvcId",
- "type": "string"
- },
- {
- "name": "DvcIdType",
- "type": "string"
- },
- {
- "name": "DvcMacAddr",
- "type": "string"
- },
- {
- "name": "DvcOs",
- "type": "string"
- },
- {
- "name": "DvcOsVersion",
- "type": "string"
- },
- {
- "name": "DvcAction",
- "type": "string"
- },
- {
- "name": "DvcOriginalAction",
- "type": "string"
- },
- {
- "name": "DvcScope",
- "type": "string"
- },
- {
- "name": "DvcScopeId",
- "type": "string"
- },
- {
- "name": "DvcZone",
- "type": "string"
- },
- {
- "name": "ActorUsername",
- "type": "string"
- },
- {
- "name": "ActorUsernameType",
- "type": "string"
- },
- {
- "name": "ActorUserId",
- "type": "string"
- },
- {
- "name": "ActorUserIdType",
- "type": "string"
- },
- {
- "name": "ActorUserType",
- "type": "string"
- },
- {
- "name": "ActorScope",
- "type": "string"
- },
- {
- "name": "ActorScopeId",
- "type": "string"
- },
- {
- "name": "ActorSessionId",
- "type": "string"
- },
- {
- "name": "ActingProcessName",
- "type": "string"
- },
- {
- "name": "ActingProcessId",
- "type": "string"
- },
- {
- "name": "ActingProcessGuid",
- "type": "string"
- },
- {
- "name": "ActingProcessCommandLine",
- "type": "string"
- },
- {
- "name": "ActingProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "ActingProcessFileCompany",
- "type": "string"
- },
- {
- "name": "ActingProcessFileDescription",
- "type": "string"
- },
- {
- "name": "ActingProcessFileProduct",
- "type": "string"
- },
- {
- "name": "ActingProcessFileVersion",
- "type": "string"
- },
- {
- "name": "ActingProcessFileSize",
- "type": "long"
- },
- {
- "name": "ActingProcessMD5",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA1",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA256",
- "type": "string"
- },
- {
- "name": "ActingProcessSHA512",
- "type": "string"
- },
- {
- "name": "ActingProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "ActingProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "ActingProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "ParentProcessName",
- "type": "string"
- },
- {
- "name": "ParentProcessId",
- "type": "string"
- },
- {
- "name": "ParentProcessGuid",
- "type": "string"
- },
- {
- "name": "ParentProcessCommandLine",
- "type": "string"
- },
- {
- "name": "ParentProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "ParentProcessFileCompany",
- "type": "string"
- },
- {
- "name": "ParentProcessFileDescription",
- "type": "string"
- },
- {
- "name": "ParentProcessFileProduct",
- "type": "string"
- },
- {
- "name": "ParentProcessFileVersion",
- "type": "string"
- },
- {
- "name": "ParentProcessFileSize",
- "type": "long"
- },
- {
- "name": "ParentProcessMD5",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA1",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA256",
- "type": "string"
- },
- {
- "name": "ParentProcessSHA512",
- "type": "string"
- },
- {
- "name": "ParentProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "ParentProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "ParentProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "TargetProcessName",
- "type": "string"
- },
- {
- "name": "TargetProcessId",
- "type": "string"
- },
- {
- "name": "TargetProcessGuid",
- "type": "string"
- },
- {
- "name": "TargetProcessCommandLine",
- "type": "string"
- },
- {
- "name": "TargetProcessCurrentDirectory",
- "type": "string"
- },
- {
- "name": "TargetProcessCreationTime",
- "type": "datetime"
- },
- {
- "name": "TargetProcessFileCompany",
- "type": "string"
- },
- {
- "name": "TargetProcessFileDescription",
- "type": "string"
- },
- {
- "name": "TargetProcessFileProduct",
- "type": "string"
- },
- {
- "name": "TargetProcessFileVersion",
- "type": "string"
- },
- {
- "name": "TargetProcessFileSize",
- "type": "long"
- },
- {
- "name": "TargetProcessMD5",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA1",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA256",
- "type": "string"
- },
- {
- "name": "TargetProcessSHA512",
- "type": "string"
- },
- {
- "name": "TargetProcessIMPHASH",
- "type": "string"
- },
- {
- "name": "TargetProcessIntegrityLevel",
- "type": "string"
- },
- {
- "name": "TargetProcessTokenElevation",
- "type": "string"
- },
- {
- "name": "TargetUsername",
- "type": "string"
- },
- {
- "name": "TargetUsernameType",
- "type": "string"
- },
- {
- "name": "TargetUserId",
- "type": "string"
- },
- {
- "name": "TargetUserIdType",
- "type": "string"
- },
- {
- "name": "TargetUserType",
- "type": "string"
- },
- {
- "name": "TargetUserSessionId",
- "type": "string"
- },
- {
- "name": "TargetUserScope",
- "type": "string"
- },
- {
- "name": "TargetUserScopeId",
- "type": "string"
- },
- {
- "name": "Hash",
- "type": "string"
- },
- {
- "name": "HashType",
- "type": "string"
- },
- {
- "name": "MD5",
- "type": "string"
- },
- {
- "name": "SHA1",
- "type": "string"
- },
- {
- "name": "SHA256",
- "type": "string"
- },
- {
- "name": "SHA512",
- "type": "string"
- },
- {
- "name": "IMPHASH",
- "type": "string"
- },
- {
- "name": "ThreatId",
- "type": "string"
- },
- {
- "name": "ThreatName",
- "type": "string"
- },
- {
- "name": "ThreatCategory",
- "type": "string"
- },
- {
- "name": "ThreatRiskLevel",
- "type": "int"
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "string"
- },
- {
- "name": "ThreatConfidence",
- "type": "int"
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "string"
- },
- {
- "name": "ThreatIsActive",
- "type": "boolean"
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "datetime"
- },
- {
- "name": "ThreatFilePath",
- "type": "string"
- },
- {
- "name": "ThreatField",
- "type": "string"
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic"
- },
- {
- "name": "SourceSystem",
- "type": "string"
- }
- ]
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "version": "[variables('dataConnectorCCPVersion')]"
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
- "apiVersion": "2022-09-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
- "location": "[parameters('workspace-location')]",
- "kind": "Customizable",
- "properties": {
- "connectorUiConfig": {
- "id": "HalcyonPush",
- "title": "Halcyon Connector",
- "publisher": "Halcyon",
- "logo": "halcyon.svg",
- "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Authentication Events",
- "legend": "HalcyonAuthenticationEvents_CL",
- "baseQuery": "HalcyonAuthenticationEvents_CL"
- },
- {
- "metricName": "DNS Activity",
- "legend": "HalcyonDnsActivity_CL",
- "baseQuery": "HalcyonDnsActivity_CL"
- },
- {
- "metricName": "File Activity",
- "legend": "HalcyonFileActivity_CL",
- "baseQuery": "HalcyonFileActivity_CL"
- },
- {
- "metricName": "Network Sessions",
- "legend": "HalcyonNetworkSession_CL",
- "baseQuery": "HalcyonNetworkSession_CL"
- },
- {
- "metricName": "Process Events",
- "legend": "HalcyonProcessEvent_CL",
- "baseQuery": "HalcyonProcessEvent_CL"
- }
- ],
- "sampleQueries": [
- {
- "description": "Get Sample Authentication Events",
- "query": "HalcyonAuthenticationEvents_CL\n | take 10"
- },
- {
- "description": "Get Sample DNS Activity",
- "query": "HalcyonDnsActivity_CL\n | take 10"
- },
- {
- "description": "Get Sample File Activity",
- "query": "HalcyonFileActivity_CL\n | take 10"
- },
- {
- "description": "Get Sample Network Sessions",
- "query": "HalcyonNetworkSession_CL\n | take 10"
- },
- {
- "description": "Get Sample Process Events",
- "query": "HalcyonProcessEvent_CL\n | take 10"
- }
- ],
- "dataTypes": [
- {
- "name": "Halcyon Authentication Events",
- "lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon DNS Activity",
- "lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon File Activity",
- "lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon Network Sessions",
- "lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Halcyon Process Events",
- "lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriteria": [
- {
- "type": "HasDataConnectors"
- }
- ],
- "availability": {
- "isPreview": true
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "Read and Write permissions are required.",
- "providerDisplayName": "Workspace Permissions",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": false
- }
- }
- ],
- "customs": [
- {
- "name": "Microsoft Entra Create Permissions",
- "description": "Permissions to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
- },
- {
- "name": "Role Assignment Permissions",
- "description": "Write permissions required to assign Monitoring Metrics Publisher role to the data collection rule (DCR). Typically requires Owner or User Access Administrator role at the resource group level."
- }
- ]
- },
- "instructionSteps": [
- {
- "title": "1. Create ARM Resources and Provision Required Permissions",
- "description": "This connector reads data from the tables that Halcyon uses in a Microsoft Analytics Workspace, if the data is being forwarded",
- "instructions": [
- {
- "type": "Markdown",
- "parameters": {
- "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
- }
- },
- {
- "parameters": {
- "label": "Deploy Halcyon Connector Resources",
- "applicationDisplayName": "Halcyon Connector Application"
- },
- "type": "DeployPushConnectorButton"
- }
- ]
- },
- {
- "title": "2. Configured your integration in the Halcyon Platform",
- "description": "Use the following parameters to configure your integration in the Halcyon Platform.",
- "instructions": [
- {
- "parameters": {
- "label": "Directory ID (Tenant ID)",
- "fillWith": [
- "TenantId"
- ]
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "label": "Entra App Registration Application ID (Client ID)",
- "fillWith": [
- "ApplicationId"
- ],
- "placeholder": "Deploy the Push Connector to get the App Registration Application ID"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "label": "Entra App Registration Secret (Credential Secret) (THIS SECRET WILL NOT BE VISIBLE AFTER LEAVING THIS PAGE)",
- "fillWith": [
- "ApplicationSecret"
- ],
- "placeholder": "Deploy the Push Connector to get the App Registration Secret"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "label": "Data Collection Endpoint (URL)",
- "fillWith": [
- "DataCollectionEndpoint"
- ],
- "placeholder": "Deploy the Push Connector to get the Data Collection Endpoint"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "label": "Data Collection Rule Immutable ID (Rule ID)",
- "fillWith": [
- "DataCollectionRuleId"
- ],
- "placeholder": "Deploy the Push Connector to get the Data Collection Rule ID"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
- "apiVersion": "2022-01-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
- "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorCCPVersion')]",
- "source": {
- "sourceId": "[variables('_solutionId')]",
- "name": "[variables('_solutionName')]",
- "kind": "Solution"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- },
- "dependencies": {
- "criteria": [
- {
- "version": "[variables('dataConnectorCCPVersion')]",
- "contentId": "[variables('_dataConnectorContentIdConnections1')]",
- "kind": "ResourcesDataConnector"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "contentId": "[variables('_dataConnectorContentIdConnections1')]",
- "displayName": "Halcyon Connector",
- "contentKind": "ResourcesDataConnector",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorCCPVersion')]",
- "parameters": {
- "guidValue": {
- "defaultValue": "[[newGuid()]",
- "type": "securestring"
- },
- "innerWorkspace": {
- "defaultValue": "[parameters('workspace')]",
- "type": "securestring"
- },
- "auth": {
- "type": "object",
- "defaultValue": {
- "appId": "[[parameters('auth').appId]]",
- "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]"
- }
- },
- "connectorDefinitionName": {
- "defaultValue": "Halcyon Connector",
- "type": "securestring",
- "minLength": 1
- },
- "workspace": {
- "defaultValue": "[parameters('workspace')]",
- "type": "securestring"
- },
- "dcrConfig": {
- "defaultValue": {
- "dataCollectionEndpoint": "data collection Endpoint",
- "dataCollectionRuleImmutableId": "data collection rule immutableId"
- },
- "type": "object"
- }
- },
- "variables": {
- "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
- },
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
- "apiVersion": "2022-01-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
- "contentId": "[variables('_dataConnectorContentIdConnections1')]",
- "kind": "ResourcesDataConnector",
- "version": "[variables('dataConnectorCCPVersion')]",
- "source": {
- "sourceId": "[variables('_solutionId')]",
- "name": "[variables('_solutionName')]",
- "kind": "Solution"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- }
- }
- },
- {
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'HalcyonPushConnector', parameters('guidValue'))]",
- "apiVersion": "2023-02-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "Push",
- "properties": {
- "connectorDefinitionName": "HalcyonPush",
- "dcrConfig": {
- "dataCollectionRuleId": "{{dataCollectionRuleId}}",
- "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
- "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
- "streamName": "Custom-Halcyon"
- },
- "auth": {
- "type": "Push",
- "appId": "[[parameters('auth').appId]",
- "servicePrincipalId": "[[parameters('auth').servicePrincipalId]"
- },
- "request": {
- "RetryCount": 1
+ "name": "app",
+ "type": "dynamic"
+ }
+ ]
+ }
},
- "response": {
- "eventsJsonPaths": [
- "$.messages"
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
]
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "version": "[variables('dataConnectorCCPVersion')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject1').parserTemplateSpecName1]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ASimAuthenticationHalcyon Data Parser with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject1').parserVersion1]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[variables('parserObject1')._parserName1]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Authentication Event Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimAuthenticationHalcyon",
- "query": "let parser = () {\n HalcyonAuthenticationEvents_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
+ },
+ "dataFlows": [
{
- "name": "description",
- "value": ""
+ "streams": [
+ "Custom-Halcyon"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + (['time'] * 1ms) | project-away ['time']",
+ "outputStream": "Custom-HalcyonEvents_CL"
}
]
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
- "dependsOn": [
- "[variables('parserObject1')._parserId1]"
- ],
+ "name": "HalcyonEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]",
- "contentId": "[variables('parserObject1').parserContentId1]",
- "kind": "Parser",
- "version": "[variables('parserObject1').parserVersion1]",
- "source": {
- "name": "Halcyon",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
+ "plan": "Analytics",
+ "schema": {
+ "name": "HalcyonEvents_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "activity_id",
+ "type": "int"
+ },
+ {
+ "name": "activity_name",
+ "type": "string"
+ },
+ {
+ "name": "category_uid",
+ "type": "int"
+ },
+ {
+ "name": "category_name",
+ "type": "string"
+ },
+ {
+ "name": "class_uid",
+ "type": "int"
+ },
+ {
+ "name": "class_name",
+ "type": "string"
+ },
+ {
+ "name": "severity_id",
+ "type": "int"
+ },
+ {
+ "name": "severity",
+ "type": "string"
+ },
+ {
+ "name": "type_uid",
+ "type": "long"
+ },
+ {
+ "name": "type_name",
+ "type": "string"
+ },
+ {
+ "name": "message",
+ "type": "string"
+ },
+ {
+ "name": "raw_data",
+ "type": "string"
+ },
+ {
+ "name": "status_id",
+ "type": "int"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "action_id",
+ "type": "int"
+ },
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "disposition_id",
+ "type": "int"
+ },
+ {
+ "name": "disposition",
+ "type": "string"
+ },
+ {
+ "name": "rcode",
+ "type": "string"
+ },
+ {
+ "name": "rcode_id",
+ "type": "int"
+ },
+ {
+ "name": "metadata",
+ "type": "dynamic"
+ },
+ {
+ "name": "unmapped",
+ "type": "dynamic"
+ },
+ {
+ "name": "actor",
+ "type": "dynamic"
+ },
+ {
+ "name": "device",
+ "type": "dynamic"
+ },
+ {
+ "name": "file",
+ "type": "dynamic"
+ },
+ {
+ "name": "process",
+ "type": "dynamic"
+ },
+ {
+ "name": "user",
+ "type": "dynamic"
+ },
+ {
+ "name": "dst_endpoint",
+ "type": "dynamic"
+ },
+ {
+ "name": "src_endpoint",
+ "type": "dynamic"
+ },
+ {
+ "name": "query",
+ "type": "dynamic"
+ },
+ {
+ "name": "answers",
+ "type": "dynamic"
+ },
+ {
+ "name": "driver",
+ "type": "dynamic"
+ },
+ {
+ "name": "module",
+ "type": "dynamic"
+ },
+ {
+ "name": "app",
+ "type": "dynamic"
+ }
+ ]
}
}
}
@@ -4965,382 +601,263 @@
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject1').parserContentId1]",
- "contentKind": "Parser",
- "displayName": "ASIM Authentication Event Parser for Halcyon",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
- "version": "[variables('parserObject1').parserVersion1]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject1')._parserName1]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Authentication Event Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimAuthenticationHalcyon",
- "query": "let parser = () {\n HalcyonAuthenticationEvents_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
- "dependsOn": [
- "[variables('parserObject1')._parserId1]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]",
- "contentId": "[variables('parserObject1').parserContentId1]",
- "kind": "Parser",
- "version": "[variables('parserObject1').parserVersion1]",
- "source": {
- "kind": "Solution",
- "name": "Halcyon",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- }
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject2').parserTemplateSpecName2]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
+ "kind": "Customizable",
"properties": {
- "description": "ASimDnsHalcyon Data Parser with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject2').parserVersion2]",
- "parameters": {},
- "variables": {},
- "resources": [
+ "connectorUiConfig": {
+ "id": "HalcyonPush",
+ "title": "Halcyon Connector",
+ "publisher": "Halcyon",
+ "logo": "halcyon.svg",
+ "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.",
+ "sampleQueries": [
{
- "name": "[variables('parserObject2')._parserName2]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM DNS Activity Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimDnsHalcyon",
- "query": "let parser = () {\n HalcyonDnsActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
+ "description": "View recent events",
+ "query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n"
+ }
+ ],
+ "graphQueries": [
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]",
- "dependsOn": [
- "[variables('parserObject2')._parserId2]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]",
- "contentId": "[variables('parserObject2').parserContentId2]",
- "kind": "Parser",
- "version": "[variables('parserObject2').parserVersion2]",
- "source": {
- "name": "Halcyon",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
+ "metricName": "Events",
+ "legend": "HalcyonEvents_CL",
+ "baseQuery": "HalcyonEvents_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Halcyon Events",
+ "lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)"
+ ]
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace Permissions",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": false
}
}
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject2').parserContentId2]",
- "contentKind": "Parser",
- "displayName": "ASIM DNS Activity Parser for Halcyon",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
- "version": "[variables('parserObject2').parserVersion2]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject2')._parserName2]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM DNS Activity Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimDnsHalcyon",
- "query": "let parser = () {\n HalcyonDnsActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]",
- "dependsOn": [
- "[variables('parserObject2')._parserId2]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]",
- "contentId": "[variables('parserObject2').parserContentId2]",
- "kind": "Parser",
- "version": "[variables('parserObject2').parserVersion2]",
- "source": {
- "kind": "Solution",
- "name": "Halcyon",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject3').parserTemplateSpecName3]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ASimFileEventHalcyon Data Parser with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject3').parserVersion3]",
- "parameters": {},
- "variables": {},
- "resources": [
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra Create Permissions",
+ "description": "Permissions to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
+ },
+ {
+ "name": "Role Assignment Permissions",
+ "description": "Write permissions required to assign Monitoring Metrics Publisher role to the data collection rule (DCR). Typically requires Owner or User Access Administrator role at the resource group level."
+ }
+ ]
+ },
+ "instructionSteps": [
{
- "name": "[variables('parserObject3')._parserName3]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM File Activity Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimFileEventHalcyon",
- "query": "let parser = () {\n HalcyonFileActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
+ "title": "1. Create ARM Resources and Provision Required Permissions",
+ "description": "This connector reads data from the tables that Halcyon uses in a Microsoft Analytics Workspace, if the data is being forwarded",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
}
- ]
- }
+ },
+ {
+ "parameters": {
+ "label": "Deploy Halcyon Connector Resources",
+ "applicationDisplayName": "Halcyon Sentinel Connector"
+ },
+ "type": "DeployPushConnectorButton"
+ }
+ ]
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]",
- "dependsOn": [
- "[variables('parserObject3')._parserId3]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]",
- "contentId": "[variables('parserObject3').parserContentId3]",
- "kind": "Parser",
- "version": "[variables('parserObject3').parserVersion3]",
- "source": {
- "name": "Halcyon",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
+ "title": "2. Configure your integration in the Halcyon Platform",
+ "description": "Use the following parameters to configure your integration in the Halcyon Platform.",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Directory ID (Tenant ID)",
+ "fillWith": [
+ "TenantId"
+ ]
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra App Registration Application ID (Client ID)",
+ "fillWith": [
+ "ApplicationId"
+ ],
+ "placeholder": "Deploy the Push Connector to get the App Registration Application ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra App Registration Secret (Credential Secret) (THIS SECRET WILL NOT BE VISIBLE AFTER LEAVING THIS PAGE)",
+ "fillWith": [
+ "ApplicationSecret"
+ ],
+ "placeholder": "Deploy the Push Connector to get the App Registration Secret"
+ },
+ "type": "CopyableLabel"
},
- "author": {
- "name": "Halcyon"
+ {
+ "parameters": {
+ "label": "Data Collection Endpoint (URL)",
+ "fillWith": [
+ "DataCollectionEndpoint"
+ ],
+ "placeholder": "Deploy the Push Connector to get the Data Collection Endpoint"
+ },
+ "type": "CopyableLabel"
},
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
+ {
+ "parameters": {
+ "label": "Data Collection Rule ID (Rule ID)",
+ "fillWith": [
+ "DataCollectionRuleId"
+ ],
+ "placeholder": "Deploy the Push Connector to get the Data Collection Rule ID"
+ },
+ "type": "CopyableLabel"
}
- }
+ ]
}
]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject3').parserContentId3]",
- "contentKind": "Parser",
- "displayName": "ASIM File Activity Parser for Halcyon",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
- "version": "[variables('parserObject3').parserVersion3]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject3')._parserName3]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM File Activity Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimFileEventHalcyon",
- "query": "let parser = () {\n HalcyonFileActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
+ }
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]",
- "dependsOn": [
- "[variables('parserObject3')._parserId3]"
- ],
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]",
- "contentId": "[variables('parserObject3').parserContentId3]",
- "kind": "Parser",
- "version": "[variables('parserObject3').parserVersion3]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Halcyon",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
- "name": "Halcyon"
+ "name": "Halcyon",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Halcyon",
"email": "support@halcyon.ai",
"tier": "Partner",
"link": "https://www.halcyon.ai"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject4').parserTemplateSpecName4]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ASimNetworkSessionHalcyon Data Parser with template version 3.0.0",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "Halcyon Connector",
+ "contentKind": "ResourcesDataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject4').parserVersion4]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[variables('parserObject4')._parserName4]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Network Session Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimNetworkSessionHalcyon",
- "query": "let parser = () {\n HalcyonNetworkSession_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "auth": {
+ "type": "object",
+ "defaultValue": {
+ "appId": "[[parameters('auth').appId]]",
+ "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]"
}
},
+ "connectorDefinitionName": {
+ "defaultValue": "Halcyon Connector",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]",
- "dependsOn": [
- "[variables('parserObject4')._parserId4]"
- ],
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]",
- "contentId": "[variables('parserObject4').parserContentId4]",
- "kind": "Parser",
- "version": "[variables('parserObject4').parserVersion4]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "name": "Halcyon",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
- "name": "Halcyon"
+ "name": "Halcyon",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Halcyon",
@@ -5349,134 +866,33 @@
"link": "https://www.halcyon.ai"
}
}
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject4').parserContentId4]",
- "contentKind": "Parser",
- "displayName": "ASIM Network Session Parser for Halcyon",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
- "version": "[variables('parserObject4').parserVersion4]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject4')._parserName4]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Network Session Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimNetworkSessionHalcyon",
- "query": "let parser = () {\n HalcyonNetworkSession_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]",
- "dependsOn": [
- "[variables('parserObject4')._parserId4]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]",
- "contentId": "[variables('parserObject4').parserContentId4]",
- "kind": "Parser",
- "version": "[variables('parserObject4').parserVersion4]",
- "source": {
- "kind": "Solution",
- "name": "Halcyon",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject5').parserTemplateSpecName5]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ASimProcessEventHalcyon Data Parser with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject5').parserVersion5]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[variables('parserObject5')._parserName5]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Process Event Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimProcessEventHalcyon",
- "query": "let parser = () {\n HalcyonProcessEvent_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
- "dependsOn": [
- "[variables('parserObject5')._parserId5]"
- ],
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'HalcyonPushConnector', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Push",
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]",
- "contentId": "[variables('parserObject5').parserContentId5]",
- "kind": "Parser",
- "version": "[variables('parserObject5').parserVersion5]",
- "source": {
- "name": "Halcyon",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
+ "connectorDefinitionName": "HalcyonPush",
+ "dcrConfig": {
+ "dataCollectionRuleId": "{{dataCollectionRuleId}}",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-Halcyon"
},
- "author": {
- "name": "Halcyon"
+ "auth": {
+ "type": "Push",
+ "appId": "[[parameters('auth').appId]",
+ "servicePrincipalId": "[[parameters('auth').servicePrincipalId]"
},
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
+ "request": {
+ "RetryCount": 1
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.messages"
+ ]
}
}
}
@@ -5485,64 +901,10 @@
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject5').parserContentId5]",
- "contentKind": "Parser",
- "displayName": "ASIM Process Event Parser for Halcyon",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
- "version": "[variables('parserObject5').parserVersion5]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject5')._parserName5]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "ASIM Process Event Parser for Halcyon",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ASimProcessEventHalcyon",
- "query": "let parser = () {\n HalcyonProcessEvent_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n",
- "functionParameters": "disabled:bool=False",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
- "dependsOn": [
- "[variables('parserObject5')._parserId5]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]",
- "contentId": "[variables('parserObject5').parserContentId5]",
- "kind": "Parser",
- "version": "[variables('parserObject5').parserVersion5]",
- "source": {
- "kind": "Solution",
- "name": "Halcyon",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Halcyon"
- },
- "support": {
- "name": "Halcyon",
- "email": "support@halcyon.ai",
- "tier": "Partner",
- "link": "https://www.halcyon.ai"
- }
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
@@ -5550,12 +912,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.1.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Halcyon",
"publisherDisplayName": "Halcyon",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nData Connectors: 1, Parsers: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in Preview state or might result in additional data ingestion or operational costs:
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -5568,7 +930,8 @@ "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Halcyon" + "name": "Halcyon", + "email": "[variables('_email')]" }, "support": { "name": "Halcyon", @@ -5583,36 +946,11 @@ "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "version": "[variables('dataConnectorCCPVersion')]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject2').parserContentId2]", - "version": "[variables('parserObject2').parserVersion2]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject3').parserContentId3]", - "version": "[variables('parserObject3').parserVersion3]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject4').parserContentId4]", - "version": "[variables('parserObject4').parserVersion4]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject5').parserContentId5]", - "version": "[variables('parserObject5').parserVersion5]" } ] }, "firstPublishDate": "2025-12-22", - "lastPublishDate": "2025-12-22", + "lastPublishDate": "2026-03-24", "providers": [ "Halcyon" ], diff --git a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml deleted file mode 100644 index b55dd6c3e4c..00000000000 --- a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde1 -Function: - Title: ASIM Authentication Event Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' -Category: Microsoft Sentinel Parser -FunctionName: ASimAuthenticationHalcyon -FunctionAlias: ASimAuthenticationHalcyon -FunctionQuery: | - let parser = () { - HalcyonAuthenticationEvents_CL - | project-away SourceSystem, Type, TenantId - }; - parser -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_Authentication_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml deleted file mode 100644 index ae96a21648f..00000000000 --- a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde2 -Function: - Title: ASIM DNS Activity Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' -Category: Microsoft Sentinel Parser -FunctionName: ASimDnsHalcyon -FunctionAlias: ASimDnsHalcyon -FunctionQuery: | - let parser = () { - HalcyonDnsActivity_CL - | project-away SourceSystem, Type, TenantId - }; - parser -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_Dns_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml deleted file mode 100644 index b14b9c2dce3..00000000000 --- a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde3 -Function: - Title: ASIM File Activity Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' -Category: Microsoft Sentinel Parser -FunctionName: ASimFileEventHalcyon -FunctionAlias: ASimFileEventHalcyon -FunctionQuery: | - let parser = () { - HalcyonFileActivity_CL - | project-away SourceSystem, Type, TenantId - }; - parser -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_FileEvent_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml deleted file mode 100644 index 952cfcf0348..00000000000 --- a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde4 -Function: - Title: ASIM Network Session Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' -Category: Microsoft Sentinel Parser -FunctionName: ASimNetworkSessionHalcyon -FunctionAlias: ASimNetworkSessionHalcyon -FunctionQuery: | - let parser = () { - HalcyonNetworkSession_CL - | project-away SourceSystem, Type, TenantId - }; - parser -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_NetworkSession_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml deleted file mode 100644 index 6335f734afc..00000000000 --- a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde5 -Function: - Title: ASIM Process Event Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' -Category: Microsoft Sentinel Parser -FunctionName: ASimProcessEventHalcyon -FunctionAlias: ASimProcessEventHalcyon -FunctionQuery: | - let parser = () { - HalcyonProcessEvent_CL - | project-away SourceSystem, Type, TenantId - }; - parser -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_ProcessEvent_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/ReleaseNotes.md b/Solutions/Halcyon/ReleaseNotes.md index b9ccba896d8..551be7d65c0 100644 --- a/Solutions/Halcyon/ReleaseNotes.md +++ b/Solutions/Halcyon/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -|3.0.0 | 12-09-2025 | Initial Solution release \ No newline at end of file +|3.1.0 | 24-03-2026 | Update Connector to receive events with OCSF schemas | +|3.0.0 | 09-12-2025 | Initial Solution release \ No newline at end of file diff --git a/Solutions/Halcyon/SolutionMetadata.json b/Solutions/Halcyon/SolutionMetadata.json index 5f5bc5bc60f..242424e27a7 100644 --- a/Solutions/Halcyon/SolutionMetadata.json +++ b/Solutions/Halcyon/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "halcyontech1743610828684", "offerId": "azure-sentinel-solution-halcyon", "firstPublishDate": "2025-12-22", - "lastPublishDate": "2025-12-22", + "lastPublishDate": "2026-03-24", "providers": ["Halcyon"], "categories": { "domains" : ["Security - Threat Protection"]