diff --git a/Solutions/ZeroFox Threat Intelligence/Package/3.0.0.zip b/Solutions/ZeroFox Threat Intelligence/Package/3.0.0.zip index df1e6507e66..ca3744622b3 100644 Binary files a/Solutions/ZeroFox Threat Intelligence/Package/3.0.0.zip and b/Solutions/ZeroFox Threat Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/ZeroFox Threat Intelligence/Package/mainTemplate.json b/Solutions/ZeroFox Threat Intelligence/Package/mainTemplate.json index 34ba5e5f0b7..21ba8ce7c59 100644 --- a/Solutions/ZeroFox Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/ZeroFox Threat Intelligence/Package/mainTemplate.json @@ -536,6 +536,1560 @@ ] } } + }, + { + "name": "ZeroFoxBotnet_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxBotnet_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "ip_address_s", + "Type": "string", + "Description": "IP Address for the botnet record" + }, + { + "Name": "listed_at_t", + "Type": "datetime", + "Description": "When the botnet was ingested into the system" + }, + { + "Name": "bot_name_s", + "Type": "string", + "Description": "Botnet Family of the botnet record" + }, + { + "Name": "c2_ip_address_s", + "Type": "string", + "Description": "Destination IP address of the botnet record" + }, + { + "Name": "c2_domain_s", + "Type": "string", + "Description": "Domain of the botnet record" + }, + { + "Name": "is_common_domain_b", + "Type": "boolean", + "Description": "Is the C2 Domain common (i.e. found in [Majestic Million's top 1M domains list](https://majestic.com/reports/majestic-million))" + }, + { + "Name": "file_location_s", + "Type": "string", + "Description": "File Location" + }, + { + "Name": "operating_system_s", + "Type": "string", + "Description": "Operating System" + }, + { + "Name": "anti_viruses_s", + "Type": "string", + "Description": "Anti Viruses" + }, + { + "Name": "country_code_s", + "Type": "string", + "Description": "Country Code" + }, + { + "Name": "zip_code_s", + "Type": "string", + "Description": "Zip Code" + }, + { + "Name": "location_s", + "Type": "string", + "Description": "Location" + }, + { + "Name": "current_language_s", + "Type": "string", + "Description": "Current Language" + }, + { + "Name": "available_keyboards_s", + "Type": "string", + "Description": "Available Keyboards" + }, + { + "Name": "uac_s", + "Type": "string", + "Description": "Uac" + }, + { + "Name": "process_elevation_s", + "Type": "string", + "Description": "Process Elevation" + }, + { + "Name": "acquired_at_t", + "Type": "datetime", + "Description": "Acquired At" + }, + { + "Name": "logged_at_t", + "Type": "datetime", + "Description": "Logged At" + }, + { + "Name": "estimated_infected_at_t", + "Type": "datetime", + "Description": "Estimated Infected At" + }, + { + "Name": "breached_at_t", + "Type": "datetime", + "Description": "Breached At" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + } + ] + } + } + }, + { + "name": "ZeroFoxBotnetCC_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxBotnetCC_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the record was ingested into the system" + }, + { + "Name": "username_s", + "Type": "string", + "Description": "Username" + }, + { + "Name": "password_s", + "Type": "string", + "Description": "Password" + }, + { + "Name": "email_s", + "Type": "string", + "Description": "Email" + }, + { + "Name": "domain_s", + "Type": "string", + "Description": "Domain" + }, + { + "Name": "impacted_domain_s", + "Type": "string", + "Description": "Impacted Domain" + }, + { + "Name": "botnet_family_s", + "Type": "string", + "Description": "Botnet Family" + }, + { + "Name": "accessed_url_s", + "Type": "string", + "Description": "Accessed Url" + }, + { + "Name": "ip_s", + "Type": "string", + "Description": "Ip" + }, + { + "Name": "file_location_s", + "Type": "string", + "Description": "File Location" + }, + { + "Name": "operating_system_s", + "Type": "string", + "Description": "Operating System" + }, + { + "Name": "anti_viruses_s", + "Type": "string", + "Description": "Anti Viruses" + }, + { + "Name": "country_code_s", + "Type": "string", + "Description": "Country Code" + }, + { + "Name": "zip_code_s", + "Type": "string", + "Description": "Zip Code" + }, + { + "Name": "location_s", + "Type": "string", + "Description": "Location" + }, + { + "Name": "current_language_s", + "Type": "string", + "Description": "Current Language" + }, + { + "Name": "available_keyboards_s", + "Type": "string", + "Description": "Available Keyboards" + }, + { + "Name": "uac_s", + "Type": "string", + "Description": "Uac" + }, + { + "Name": "process_elevation_s", + "Type": "string", + "Description": "Process Elevation" + }, + { + "Name": "acquired_at_t", + "Type": "datetime", + "Description": "Acquired At" + }, + { + "Name": "logged_at_t", + "Type": "datetime", + "Description": "Logged At" + }, + { + "Name": "estimated_infected_at_t", + "Type": "datetime", + "Description": "Estimated Infected At" + }, + { + "Name": "breached_at_t", + "Type": "datetime", + "Description": "Breached At" + }, + { + "Name": "accessed_url_date_t", + "Type": "datetime", + "Description": "Accessed Url Date" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + }, + { + "Name": "breach_id_s", + "Type": "string", + "Description": "Breach ID the credentials were acquired from" + }, + { + "Name": "breach_name_s", + "Type": "string", + "Description": "Breach Name" + }, + { + "Name": "breach_url_s", + "Type": "string", + "Description": "Breach Url" + } + ] + } + } + }, + { + "name": "ZeroFoxBreaches_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxBreaches_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "id_s", + "Type": "string", + "Description": "Id" + }, + { + "Name": "name_s", + "Type": "string", + "Description": "Name" + }, + { + "Name": "description_s", + "Type": "string", + "Description": "Description" + }, + { + "Name": "breach_date_t", + "Type": "datetime", + "Description": "Breach Date" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "Created At" + }, + { + "Name": "included_fields_s", + "Type": "string", + "Description": "Included Fields" + }, + { + "Name": "record_count_s", + "Type": "int", + "Description": "Record Count" + }, + { + "Name": "threat_type_s", + "Type": "string", + "Description": "Threat Type" + }, + { + "Name": "geography_region_code_s", + "Type": "string", + "Description": "Geography Region Code" + }, + { + "Name": "geography_sub_region_code_s", + "Type": "string", + "Description": "Geography Sub Region Code" + }, + { + "Name": "geography_country_code_s", + "Type": "string", + "Description": "Geography Country Code" + }, + { + "Name": "geography_country_iso_alpha3_code_s", + "Type": "string", + "Description": "Geography Country Iso Alpha3 Code" + }, + { + "Name": "geography_region_s", + "Type": "string", + "Description": "Geography Region" + }, + { + "Name": "geography_sub_region_s", + "Type": "string", + "Description": "Geography Sub Region" + }, + { + "Name": "geography_country_s", + "Type": "string", + "Description": "Geography Country" + }, + { + "Name": "confidence_s", + "Type": "string", + "Description": "Confidence" + }, + { + "Name": "reliability_s", + "Type": "string", + "Description": "Reliability" + }, + { + "Name": "tlp_s", + "Type": "string", + "Description": "Tlp" + }, + { + "Name": "industry_s", + "Type": "string", + "Description": "Industry" + } + ] + } + } + }, + { + "name": "ZeroFoxCompromisedCredentials_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxCompromisedCredentials_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the credential was ingested into the system" + }, + { + "Name": "domain_s", + "Type": "string", + "Description": "Domain of the user's email" + }, + { + "Name": "email_s", + "Type": "string", + "Description": "Email address of the compromised credential" + }, + { + "Name": "username_s", + "Type": "string", + "Description": "Username of the compromised credential" + }, + { + "Name": "password_s", + "Type": "string", + "Description": "Password of the compromised credential" + }, + { + "Name": "password_type_s", + "Type": "string", + "Description": "Password type of the compromised credential" + }, + { + "Name": "breach_name_s", + "Type": "string", + "Description": "Name of the breach" + }, + { + "Name": "breach_id_s", + "Type": "string", + "Description": "Breach ID the credentials were acquired from" + }, + { + "Name": "breached_at_t", + "Type": "datetime", + "Description": "Date of the breach" + }, + { + "Name": "impacted_domain_s", + "Type": "string", + "Description": "Domain impacted by the compromised credential" + }, + { + "Name": "data_exposure_at_t", + "Type": "datetime", + "Description": "Initial advertisement date of data" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + }, + { + "Name": "combolist_s", + "Type": "string", + "Description": "True if 'combolist' is present in source tags" + } + ] + } + } + }, + { + "name": "ZeroFoxCreditCards_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxCreditCards_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "cc_num_s", + "Type": "string", + "Description": "Cc Num" + }, + { + "Name": "month_s", + "Type": "string", + "Description": "Month" + }, + { + "Name": "year_s", + "Type": "string", + "Description": "Year" + }, + { + "Name": "cvv_s", + "Type": "string", + "Description": "Cvv" + }, + { + "Name": "issuer_s", + "Type": "string", + "Description": "Issuer" + }, + { + "Name": "source_s", + "Type": "string", + "Description": "Source" + }, + { + "Name": "cc_bin_s", + "Type": "string", + "Description": "Cc Bin" + }, + { + "Name": "breach_name_s", + "Type": "string", + "Description": "Breach Name" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the credit card was ingested into the system" + } + ] + } + } + }, + { + "name": "ZeroFoxDarkWeb_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxDarkWeb_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "content_audience_s", + "Type": "string", + "Description": "Content audience" + }, + { + "Name": "forum_name_s", + "Type": "string", + "Description": "Forum name" + }, + { + "Name": "forum_uuid_s", + "Type": "string", + "Description": "Forum UUID" + }, + { + "Name": "general_topic_s", + "Type": "string", + "Description": "General topic" + }, + { + "Name": "language_code_s", + "Type": "string", + "Description": "Language code" + }, + { + "Name": "network_type_s", + "Type": "string", + "Description": "Network type describes the network from which the content is sourced e.g. open = surface web, tor = dark web " + }, + { + "Name": "site_type_s", + "Type": "string", + "Description": "Site type categorizes the kind of source site e.g. news, blogs, discussions, chat, market, paste, imageboard, ransomware_blog" + }, + { + "Name": "parent_uuid_s", + "Type": "string", + "Description": "If this post is a reply to another post (ParentPost), then the parent_uuid is the post_uuid of the ParentPost" + }, + { + "Name": "post_body_s", + "Type": "string", + "Description": "Post body" + }, + { + "Name": "timestamp_t", + "Type": "datetime", + "Description": "When the post was created." + }, + { + "Name": "post_member_name_s", + "Type": "string", + "Description": "Post member name" + }, + { + "Name": "post_type_s", + "Type": "string", + "Description": "Post type" + }, + { + "Name": "post_uuid_s", + "Type": "string", + "Description": "Post UUID" + }, + { + "Name": "sequence_number_s", + "Type": "int", + "Description": "Position of the post within a forum thread" + }, + { + "Name": "thread_name_s", + "Type": "string", + "Description": "Thread name" + }, + { + "Name": "thread_url_s", + "Type": "string", + "Description": "Thread url" + }, + { + "Name": "thread_uuid_s", + "Type": "string", + "Description": "Thread UUID" + }, + { + "Name": "domain_s", + "Type": "string", + "Description": "Domain" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the record was ingested into the system" + }, + { + "Name": "post_created_at_t", + "Type": "datetime", + "Description": "Post created at" + } + ] + } + } + }, + { + "name": "ZeroFoxDiscord_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxDiscord_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "author_id_s", + "Type": "string", + "Description": "Author Id" + }, + { + "Name": "author_username_s", + "Type": "string", + "Description": "Author Username" + }, + { + "Name": "channel_name_s", + "Type": "string", + "Description": "Channel name" + }, + { + "Name": "content_s", + "Type": "string", + "Description": "Content" + }, + { + "Name": "server_name_s", + "Type": "string", + "Description": "Server name" + }, + { + "Name": "timestamp_t", + "Type": "datetime", + "Description": "Timestamp when the message was sent" + }, + { + "Name": "thread_url_s", + "Type": "string", + "Description": "Thread URL" + } + ] + } + } + }, + { + "name": "ZeroFoxDisruption_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxDisruption_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "url_s", + "Type": "string", + "Description": "URL" + }, + { + "Name": "fqdn_s", + "Type": "string", + "Description": "FQDN" + }, + { + "Name": "ip_s", + "Type": "string", + "Description": "IP Address" + }, + { + "Name": "host_s", + "Type": "string", + "Description": "Host" + }, + { + "Name": "registrar_s", + "Type": "string", + "Description": "Registrar" + }, + { + "Name": "threat_type_s", + "Type": "string", + "Description": "Threat type" + }, + { + "Name": "http_status_s", + "Type": "int", + "Description": "Http Status" + }, + { + "Name": "asn_s", + "Type": "int", + "Description": "ASN" + }, + { + "Name": "iana_s", + "Type": "int", + "Description": "IANA" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "Created at" + }, + { + "Name": "updated_at_t", + "Type": "datetime", + "Description": "Updated at" + }, + { + "Name": "category_s", + "Type": "string", + "Description": "Category" + }, + { + "Name": "network_s", + "Type": "string", + "Description": "Network" + } + ] + } + } + }, + { + "name": "ZeroFoxEmailAddresses_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxEmailAddresses_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the email address was ingested into the system" + }, + { + "Name": "email_s", + "Type": "string", + "Description": "Email" + }, + { + "Name": "domain_s", + "Type": "string", + "Description": "Domain" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + } + ] + } + } + }, + { + "name": "ZeroFoxExploits_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxExploits_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the record was ingested into the system" + }, + { + "Name": "cve_s", + "Type": "string", + "Description": "CVE" + }, + { + "Name": "urls_s", + "Type": "string", + "Description": "URL where exploit was found" + }, + { + "Name": "exploit_s", + "Type": "string", + "Description": "Exploit code" + } + ] + } + } + }, + { + "name": "ZeroFoxIndicators_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxIndicators_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "type_s", + "Type": "string", + "Description": "Type of indicator (IP, Domain, URL or Malicious File)" + }, + { + "Name": "value_s", + "Type": "string", + "Description": "Display value of the indicator" + }, + { + "Name": "ip_addresses_s", + "Type": "string", + "Description": "Ip Addresses" + }, + { + "Name": "domain_s", + "Type": "string", + "Description": "Domain name" + }, + { + "Name": "filename_s", + "Type": "string", + "Description": "File name or location" + }, + { + "Name": "url_s", + "Type": "string", + "Description": "URL" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + }, + { + "Name": "ports_s", + "Type": "int", + "Description": "Ports" + }, + { + "Name": "malware_family_s", + "Type": "string", + "Description": "Malware Family" + }, + { + "Name": "sha1_s", + "Type": "string", + "Description": "Known sha1 hashes for this file" + }, + { + "Name": "sha256_s", + "Type": "string", + "Description": "Known sha256 hashes for this file" + }, + { + "Name": "sha512_s", + "Type": "string", + "Description": "Known sha512 hashes for this file" + }, + { + "Name": "md5_s", + "Type": "string", + "Description": "Known md5 hashes for this file" + }, + { + "Name": "c2_ip_addresses_s", + "Type": "string", + "Description": "C2 IP Adresses" + }, + { + "Name": "c2_domains_s", + "Type": "string", + "Description": "C2 Domains" + }, + { + "Name": "events_threat_type_s", + "Type": "string", + "Description": "Events Threat Type" + }, + { + "Name": "events_date_t", + "Type": "datetime", + "Description": "Events Date" + }, + { + "Name": "file_location_s", + "Type": "string", + "Description": "File location" + }, + { + "Name": "cloud_provider_s", + "Type": "string", + "Description": "Cloud provider" + }, + { + "Name": "top_1m_b", + "Type": "boolean", + "Description": "Top 1M" + }, + { + "Name": "bot_name_s", + "Type": "string", + "Description": "Bot name" + }, + { + "Name": "first_seen_t", + "Type": "datetime", + "Description": "Timestamp when the indicator was first seen" + }, + { + "Name": "last_seen_t", + "Type": "datetime", + "Description": "Timestamp when the indicator was last seen" + }, + { + "Name": "last_modified_s", + "Type": "string", + "Description": "Last Modified" + }, + { + "Name": "expired_s", + "Type": "string", + "Description": "Expired" + }, + { + "Name": "ttl_s", + "Type": "string", + "Description": "Ttl" + }, + { + "Name": "confidence_value_s", + "Type": "string", + "Description": "Confidence value" + }, + { + "Name": "confidence_description_s", + "Type": "string", + "Description": "Confidence description" + }, + { + "Name": "note_s", + "Type": "string", + "Description": "Note" + }, + { + "Name": "asn_s", + "Type": "string", + "Description": "ASN" + }, + { + "Name": "asn_description_s", + "Type": "string", + "Description": "ASN Description" + }, + { + "Name": "source_registry_s", + "Type": "string", + "Description": "Source Registry" + }, + { + "Name": "ttp_ids_s", + "Type": "string", + "Description": "TTP IDs" + }, + { + "Name": "created_at_s", + "Type": "string", + "Description": "Created At" + }, + { + "Name": "ransom_note_s", + "Type": "string", + "Description": "Ransom Note" + }, + { + "Name": "emails_s", + "Type": "string", + "Description": "Email address" + }, + { + "Name": "crypto_wallets_s", + "Type": "string", + "Description": "Cryptowallet address" + }, + { + "Name": "note_urls_s", + "Type": "string", + "Description": "Note URLs" + }, + { + "Name": "ransomware_name_s", + "Type": "string", + "Description": "Ransomware name" + } + ] + } + } + }, + { + "name": "ZeroFoxKeyIncidents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxKeyIncidents_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "analysis_s", + "Type": "string", + "Description": "Analysis" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "Created At" + }, + { + "Name": "updated_at_t", + "Type": "datetime", + "Description": "Updated At" + }, + { + "Name": "headline_s", + "Type": "string", + "Description": "Headline" + }, + { + "Name": "incident_id_s", + "Type": "string", + "Description": "Incident Id" + }, + { + "Name": "risk_level_s", + "Type": "string", + "Description": "Risk Level" + }, + { + "Name": "solution_s", + "Type": "string", + "Description": "Solution" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + }, + { + "Name": "target_types_s", + "Type": "string", + "Description": "Target Types" + }, + { + "Name": "threat_types_s", + "Type": "string", + "Description": "Threat Types" + }, + { + "Name": "title_s", + "Type": "string", + "Description": "Title" + }, + { + "Name": "url_s", + "Type": "string", + "Description": "Url" + }, + { + "Name": "attachments_s", + "Type": "string", + "Description": "Attachments" + }, + { + "Name": "matchingContent_s", + "Type": "string", + "Description": "Matchingcontent" + }, + { + "Name": "highlightedContent_s", + "Type": "string", + "Description": "Highlightedcontent" + }, + { + "Name": "id_s", + "Type": "string", + "Description": "Record id" + } + ] + } + } + }, + { + "name": "ZeroFoxNationalIds_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxNationalIds_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "national_identifier_s", + "Type": "string", + "Description": "National Citizen Identifier" + }, + { + "Name": "country_s", + "Type": "string", + "Description": "Country" + }, + { + "Name": "first_name_s", + "Type": "string", + "Description": "First name" + }, + { + "Name": "last_name_s", + "Type": "string", + "Description": "Last name" + }, + { + "Name": "person_name_s", + "Type": "string", + "Description": "Person name" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "When the national citizen identifier was ingested into the system" + }, + { + "Name": "source_s", + "Type": "string", + "Description": "Source url" + }, + { + "Name": "breach_name_s", + "Type": "string", + "Description": "Breach Name" + } + ] + } + } + }, + { + "name": "ZeroFoxPhysicalThreats_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxPhysicalThreats_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "id_s", + "Type": "string", + "Description": "Id" + }, + { + "Name": "locations_address_s", + "Type": "string", + "Description": "Address of the threat" + }, + { + "Name": "locations_street_address_s", + "Type": "string", + "Description": "Street Address of the threat" + }, + { + "Name": "locations_city_s", + "Type": "string", + "Description": "City of the threat" + }, + { + "Name": "locations_state_s", + "Type": "string", + "Description": "State of the threat" + }, + { + "Name": "locations_zip_s", + "Type": "string", + "Description": "Zip Code of the threat" + }, + { + "Name": "locations_zip_code_s", + "Type": "string", + "Description": "Zip Code of the threat" + }, + { + "Name": "locations_country_s", + "Type": "string", + "Description": "Country Code as ISO_3166-1_alpha-2 two-letter of the threat" + }, + { + "Name": "locations_country_code_s", + "Type": "string", + "Description": "Country Code as ISO_3166-1_alpha-2 two-letter of the threat" + }, + { + "Name": "locations_shape_s", + "Type": "string", + "Description": "representation of a polygon in a map using the WKT string format" + }, + { + "Name": "locations_hierarchy_level_s", + "Type": "int", + "Description": "Determine the order of importance of this location compared to the other locations of the threat" + }, + { + "Name": "locations_hierarchy_label_s", + "Type": "string", + "Description": "Human representation of the hierarchy level attribute" + }, + { + "Name": "offending_content_url_s", + "Type": "string", + "Description": "URL of the post" + }, + { + "Name": "content_s", + "Type": "string", + "Description": "Content of the post" + }, + { + "Name": "notes_s", + "Type": "string", + "Description": "Notes related to the threat" + }, + { + "Name": "event_date_t", + "Type": "datetime", + "Description": "Date of the threat" + }, + { + "Name": "enterprise_id_s", + "Type": "string", + "Description": "Enterprise Id" + }, + { + "Name": "entity_id_s", + "Type": "string", + "Description": "Entity Id" + }, + { + "Name": "tags_s", + "Type": "string", + "Description": "Tags" + }, + { + "Name": "source_tags_s", + "Type": "string", + "Description": "Source Tags" + }, + { + "Name": "network_s", + "Type": "string", + "Description": "Network related to the post" + }, + { + "Name": "alert_id_s", + "Type": "string", + "Description": "Id of the Alert related to the threat" + }, + { + "Name": "data_set_s", + "Type": "string", + "Description": "Dataset of the threat" + }, + { + "Name": "attendees_interested_s", + "Type": "int", + "Description": "Attendees Interested of the threat" + }, + { + "Name": "attendees_going_s", + "Type": "int", + "Description": "Attendees Going of the threat" + }, + { + "Name": "post_date_s", + "Type": "string", + "Description": "Expose Publish Date of the threat" + }, + { + "Name": "timestamp_s", + "Type": "string", + "Description": "Expose Internal Date of the threat" + }, + { + "Name": "incident_group_s", + "Type": "string", + "Description": "Incident Group" + }, + { + "Name": "incident_type_s", + "Type": "string", + "Description": "Incident Type" + }, + { + "Name": "incident_subtype_s", + "Type": "string", + "Description": "Incident Subtype" + }, + { + "Name": "timeframe_s", + "Type": "string", + "Description": "Timeframe" + } + ] + } + } + }, + { + "name": "ZeroFoxTelegram_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxTelegram_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "channel_name_s", + "Type": "string", + "Description": "Channel Name" + }, + { + "Name": "timestamp_t", + "Type": "datetime", + "Description": "When the telegram message was sent" + }, + { + "Name": "first_name_s", + "Type": "string", + "Description": "First Name" + }, + { + "Name": "last_name_s", + "Type": "string", + "Description": "Last Name" + }, + { + "Name": "message_s", + "Type": "string", + "Description": "Message" + }, + { + "Name": "user_s", + "Type": "string", + "Description": "User" + }, + { + "Name": "message_url_s", + "Type": "string", + "Description": "Message Url" + } + ] + } + } + }, + { + "name": "ZeroFoxVulnerabilities_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ZeroFoxVulnerabilities_CL", + "columns": [ + { + "Name": "TimeGenerated", + "Type": "datetime", + "Description": "The timestamp reflecting the time in which the event was generated" + }, + { + "Name": "base_score_s", + "Type": "real", + "Description": "Base Score" + }, + { + "Name": "description_s", + "Type": "string", + "Description": "Description" + }, + { + "Name": "exploitability_score_s", + "Type": "real", + "Description": "Exploitability Score" + }, + { + "Name": "impact_score_s", + "Type": "real", + "Description": "Impact Score" + }, + { + "Name": "created_at_t", + "Type": "datetime", + "Description": "Created At" + }, + { + "Name": "updated_at_t", + "Type": "datetime", + "Description": "Updated At" + }, + { + "Name": "vector_string_s", + "Type": "string", + "Description": "Vector String" + }, + { + "Name": "cve_s", + "Type": "string", + "Description": "Cve" + }, + { + "Name": "summary_s", + "Type": "string", + "Description": "Summary" + }, + { + "Name": "remediation_s", + "Type": "string", + "Description": "Remediation" + }, + { + "Name": "products_d", + "Type": "dynamic", + "Description": "Products" + } + ] + } + } } ] },